Elliptic Curves: Number Theory and Cryptography, Second Edition [2 ed.] 9781420071467, 9781420071474, 9780429140808

Table of contents :
Cover
Title Page
Copyright Page
Dedication Page
Preface
Preface to Second Edition
Suggestions to Reader
Table of Contents
1 Introduction
Exercises
2 The Basic Theory
2.1 Weierstrass Equations
2.2 The Group Law
2.3 Projective Space and the Point at Infinity
2.4 Proof of Associativity
2.4.1 The Theorems of Pappus and Pascal
2.5 Other Equations for Elliptic Curves
2.5.1 Legendre Equation
2.5.2 Cubic Equations
2.5.3 Quartic Equations
2.5.4 Intersection of Two Quadratic Surfaces
2.6 Other Coordinate Systems
2.6.1 Projective Coordinates
2.6.2 Jacobian Coordinates
2.6.3 Edwards Coordinates
2.7 The j-invariant
2.8 Elliptic Curves in Characteristic 2
2.9 Endomorphisms
2.10 Singular Curves
2.11 Elliptic Curves mod n
Exercises
3 Torsion Points
3.1 Torsion Points
3.2 Division Polynomials
3.3 The Weil Pairing
3.4 The Tate-Lichtenbaum Pairing
Exercises
4 Elliptic Curves over Finite Fields
4.1 Examples
4.2 The Frobenius Endomorphism
4.3 Determining the Group Order
4.3.1 Subfield Curves
4.3.2 Legendre Symbols
4.3.3 Orders of Points
4.3.4 Baby Step, Giant Step
4.4 A Family of Curves
4.5 Schoof’s Algorithm
4.6 Supersingular Curves
Exercises
5 The Discrete Logarithm Problem
5.1 The Index Calculus
5.2 General Attacks on Discrete Logs
5.2.1 Baby Step, Giant Step
5.2.2 Pollard’s ρ and λ Methods
5.2.3 The Pohlig-Hellman Method
5.3 Attacks with Pairings
5.3.1 The MOV Attack
5.3.2 The Frey-Rück Attack
5.4 Anomalous Curves
5.5 Other Attacks
Exercises
6 Elliptic Curve Cryptography
6.1 The Basic Setup
6.2 Diffie-Hellman Key Exchange
6.3 Massey-Omura Encryption
6.4 ElGamal Public Key Encryption
6.5 ElGamal Digital Signatures
6.6 The Digital Signature Algorithm
6.7 ECIES
6.8 A Public Key Scheme Based on Factoring
6.9 A Cryptosystem Based on the Weil Pairing
Exercises
7 Other Applications
7.1 Factoring Using Elliptic Curves
7.2 Primality Testing
Exercises
8 Elliptic Curves over Q
8.1 The Torsion Subgroup. The Lutz-Nagell Theorem
8.2 Descent and the Weak Mordell-Weil Theorem
8.3 Heights and the Mordell-Weil Theorem
8.4 Examples
8.5 The Height Pairing
8.6 Fermat’s Infinite Descent
8.7 2-Selmer Groups; Shafarevich-Tate Groups
8.8 A Nontrivial Shafarevich-Tate Group
8.9 Galois Cohomology
Exercises
9 Elliptic Curves over C
9.1 Doubly Periodic Functions
9.2 Tori are Elliptic Curves
9.3 Elliptic Curves over C
9.4 Computing Periods
9.4.1 The Arithmetic-Geometric Mean
9.5 Division Polynomials
9.6 The Torsion Subgroup: Doud’s Method
Exercises
10 Complex Multiplication
10.1 Elliptic Curves over C
10.2 Elliptic Curves over Finite Fields
10.3 Integrality of j-invariants
10.4 Numerical Examples
10.5 Kronecker’s Jugendtraum
Exercises
11 Divisors
11.1 Definitions and Examples
11.2 The Weil Pairing
11.3 The Tate-Lichtenbaum Pairing
11.4 Computation of the Pairings
11.5 Genus One Curves and Elliptic Curves
11.6 Equivalence of the Definitions of the Pairings
11.6.1 The Weil Pairing
11.6.2 The Tate-Lichtenbaum Pairing
11.7 Nondegeneracy of the Tate-Lichtenbaum Pairing
Exercises
12 Isogenies
12.1 The Complex Theory
12.2 The Algebraic Theory
12.3 Vélu’s Formulas
12.4 Point Counting
12.5 Complements
Exercises
13 Hyperelliptic Curves
13.1 Basic Definitions
13.2 Divisors
13.3 Cantor’s Algorithm
13.4 The Discrete Logarithm Problem
Exercises
14 Zeta Functions
14.1 Elliptic Curves over Finite Fields
14.2 Elliptic Curves over Q
Exercises
15 Fermat’s Last Theorem
15.1 Overview
15.2 Galois Representations
15.3 Sketch of Ribet’s Proof
15.4 Sketch of Wiles’s Proof
A Number Theory
B Groups
C Fields
D Computer Packages
D.1 Pari
D.2 Magma
D.3 SAGE
References
Index

Citation preview

E C N T  C S  E

C7146_FM.indd 1

2/25/08 10:18:35 AM

DISCRETE MATHEMATICS ITS APPLICATIONS Series Editor

Kenneth H. Rosen, Ph.D. Juergen Bierbrauer, Introduction to Coding Theory Francine Blanchet-Sadri, Algorithmic Combinatorics on Partial Words Kun-Mao Chao and Bang Ye Wu, Spanning Trees and Optimization Problems Charalambos A. Charalambides, Enumerative Combinatorics Henri Cohen, Gerhard Frey, et al., Handbook of Elliptic and Hyperelliptic Curve Cryptography Charles J. Colbourn and Jeffrey H. Dinitz, Handbook of Combinatorial Designs, Second Edition Martin Erickson and Anthony Vazzana, Introduction to Number Theory Steven Furino, Ying Miao, and Jianxing Yin, Frames and Resolvable Designs: Uses, Constructions, and Existence Randy Goldberg and Lance Riek, A Practical Handbook of Speech Coders Jacob E. Goodman and Joseph O’Rourke, Handbook of Discrete and Computational Geometry, Second Edition Jonathan L. Gross, Combinatorial Methods with Computer Applications Jonathan L. Gross and Jay Yellen, Graph Theory and Its Applications, Second Edition Jonathan L. Gross and Jay Yellen, Handbook of Graph Theory Darrel R. Hankerson, Greg A. Harris, and Peter D. Johnson, Introduction to Information Theory and Data Compression, Second Edition Daryl D. Harms, Miroslav Kraetzl, Charles J. Colbourn, and John S. Devitt, Network Reliability: Experiments with a Symbolic Algebra Environment Leslie Hogben, Handbook of Linear Algebra Derek F. Holt with Bettina Eick and Eamonn A. O’Brien, Handbook of Computational Group Theory David M. Jackson and Terry I. Visentin, An Atlas of Smaller Maps in Orientable and Nonorientable Surfaces Richard E. Klima, Neil P . Sigmon, and Ernest L. Stitzinger, Applications of Abstract Algebra with Maple™ and MATLAB®, Second Edition Patrick Knupp and Kambiz Salari, Verification of Computer Codes in Computational Science and Engineering

C7146_FM.indd 2

2/25/08 10:18:35 AM

Continued Titles William Kocay and Donald L. Kreher, Graphs, Algorithms, and Optimization Donald L. Kreher and Douglas R. Stinson, Combinatorial Algorithms: Generation Enumeration and Search Charles C. Lindner and Christopher A. Rodgers, Design Theory Hang T. Lau, A Java Library of Graph Algorithms and Optimization Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied Cryptography Richard A. Mollin, Algebraic Number Theory Richard A. Mollin, Codes: The Guide to Secrecy from Ancient to Modern Times Richard A. Mollin, Fundamental Number Theory with Applications, Second Edition Richard A. Mollin, An Introduction to Cryptography, Second Edition Richard A. Mollin, Quadratics Richard A. Mollin, RSA and Public-Key Cryptography Carlos J. Moreno and Samuel S. Wagstaff, Jr., Sums of Squares of Integers Dingyi Pei, Authentication Codes and Combinatorial Designs Kenneth H. Rosen, Handbook of Discrete and Combinatorial Mathematics Douglas R. Shier and K.T. Wallenius, Applied Mathematical Modeling: A Multidisciplinary Approach Jörn Steuding, Diophantine Analysis Douglas R. Stinson, Cryptography: Theory and Practice, Third Edition Roberto Togneri and Christopher J. deSilva, Fundamentals of Information Theory and Coding Design W. D. Wallis, Introduction to Combinatorial Designs, Second Edition Lawrence C. Washington, Elliptic Curves: Number Theory and Cryptography, Second Edition

C7146_FM.indd 3

2/25/08 10:18:36 AM

C7146_FM.indd 4

2/25/08 10:18:36 AM

DISCRETE MATHEMATICS AND ITS APPLICATIONS Series Editor KENNETH H. ROSEN

E C N T  C S  E   

L AW RE NCE C . WA SHING TON Uni ve rsi t y of M a ryl a nd Col l e g e Par k, M a ryl a nd, U.S.A.

C7146_FM.indd 5

2/25/08 10:18:36 AM

CRC Press Taylor & Francis Group 6000 Broken Sound Parkway NW, Suite 300 Boca Raton, FL 33487-2742 © 2008 by Taylor & Francis Group, LLC CRC Press is an imprint of Taylor & Francis Group, an Informa business No claim to original U.S. Government works Version Date: 20131121 International Standard Book Number-13: 978-1-4200-7147-4 (eBook - PDF) This book contains information obtained from authentic and highly regarded sources. Reasonable efforts have been made to publish reliable data and information, but the author and publisher cannot assume responsibility for the validity of all materials or the consequences of their use. The authors and publishers have attempted to trace the copyright holders of all material reproduced in this publication and apologize to copyright holders if permission to publish in this form has not been obtained. If any copyright material has not been acknowledged please write and let us know so we may rectify in any future reprint. Except as permitted under U.S. Copyright Law, no part of this book may be reprinted, reproduced, transmitted, or utilized in any form by any electronic, mechanical, or other means, now known or hereafter invented, including photocopying, microfilming, and recording, or in any information storage or retrieval system, without written permission from the publishers. For permission to photocopy or use material electronically from this work, please access www.copyright. com (http://www.copyright.com/) or contact the Copyright Clearance Center, Inc. (CCC), 222 Rosewood Drive, Danvers, MA 01923, 978-750-8400. CCC is a not-for-profit organization that provides licenses and registration for a variety of users. For organizations that have been granted a photocopy license by the CCC, a separate system of payment has been arranged. Trademark Notice: Product or corporate names may be trademarks or registered trademarks, and are used only for identification and explanation without intent to infringe. Visit the Taylor & Francis Web site at http://www.taylorandfrancis.com and the CRC Press Web site at http://www.crcpress.com

To Susan and Patrick

Preface Over the last two or three decades, elliptic curves have been playing an increasingly important role both in number theory and in related fields such as cryptography. For example, in the 1980s, elliptic curves started being used in cryptography and elliptic curve techniques were developed for factorization and primality testing. In the 1980s and 1990s, elliptic curves played an important role in the proof of Fermat’s Last Theorem. The goal of the present book is to develop the theory of elliptic curves assuming only modest backgrounds in elementary number theory and in groups and fields, approximately what would be covered in a strong undergraduate or beginning graduate abstract algebra course. In particular, we do not assume the reader has seen any algebraic geometry. Except for a few isolated sections, which can be omitted if desired, we do not assume the reader knows Galois theory. We implicitly use Galois theory for finite fields, but in this case everything can be done explicitly in terms of the Frobenius map so the general theory is not needed. The relevant facts are explained in an appendix. The book provides an introduction to both the cryptographic side and the number theoretic side of elliptic curves. For this reason, we treat elliptic curves over finite fields early in the book, namely in Chapter 4. This immediately leads into the discrete logarithm problem and cryptography in Chapters 5, 6, and 7. The reader only interested in cryptography can subsequently skip to Chapters 11 and 13, where the Weil and Tate-Lichtenbaum pairings and hyperelliptic curves are discussed. But surely anyone who becomes an expert in cryptographic applications will have a little curiosity as to how elliptic curves are used in number theory. Similarly, a non-applications oriented reader could skip Chapters 5, 6, and 7 and jump straight into the number theory in Chapters 8 and beyond. But the cryptographic applications are interesting and provide examples for how the theory can be used. There are several fine books on elliptic curves already in the literature. This book in no way is intended to replace Silverman’s excellent two volumes [109], [111], which are the standard references for the number theoretic aspects of elliptic curves. Instead, the present book covers some of the same material, plus applications to cryptography, from a more elementary viewpoint. It is hoped that readers of this book will subsequently find Silverman’s books more accessible and will appreciate their slightly more advanced approach. The books by Knapp [61] and Koblitz [64] should be consulted for an approach to the arithmetic of elliptic curves that is more analytic than either this book or [109]. For the cryptographic aspects of elliptic curves, there is the recent book of Blake et al. [12], which gives more details on several algorithms than the

ix

x present book, but contains few proofs. It should be consulted by serious students of elliptic curve cryptography. We hope that the present book provides a good introduction to and explanation of the mathematics used in that book. The books by Enge [38], Koblitz [66], [65], and Menezes [82] also treat elliptic curves from a cryptographic viewpoint and can be profitably consulted. Notation. The symbols Z, Fq , Q, R, C denote the integers, the finite field with q elements, the rationals, the reals, and the complex numbers, respectively. We have used Zn (rather than Z/nZ) to denote the integers mod n. However, when p is a prime and we are working with Zp as a field, rather than as a group or ring, we use Fp in order to remain consistent with the notation Fq . Note that Zp does not denote the p-adic integers. This choice was made for typographic reasons since the integers mod p are used frequently, while a symbol for the p-adic integers is used only in a few examples in Chapter 13 (where we use Op ). The p-adic rationals are denoted by Qp . If K is a field, then K denotes an algebraic closure of K. If R is a ring, then R× denotes the invertible elements of R. When K is a field, K × is therefore the multiplicative group of nonzero elements of K. Throughout the book, the letters K and E are generally used to denote a field and an elliptic curve (except in Chapter 9, where K is used a few times for an elliptic integral). Acknowledgments. The author thanks Bob Stern of CRC Press for suggesting that this book be written and for his encouragement, and the editorial staff at CRC Press for their help during the preparation of the book. Ed Eikenberg, Jim Owings, Susan Schmoyer, Brian Conrad, and Sam Wagstaff made many suggestions that greatly improved the manuscript. Of course, there is always room for more improvement. Please send suggestions and corrections to the author ([email protected]). Corrections will be listed on the web site for the book (www.math.umd.edu/∼lcw/ellipticcurves.html).

Preface to the Second Edition

The main question asked by the reader of a preface to a second edition is “What is new?” The main additions are the following: 1. A chapter on isogenies. 2. A chapter on hyperelliptic curves, which are becoming prominent in many situations, especially in cryptography. 3. A discussion of alternative coordinate systems (projective coordinates, Jacobian coordinates, Edwards coordinates) and related computational issues. 4. A more complete treatment of the Weil and Tate-Lichtenbaum pairings, including an elementary definition of the Tate-Lichtenbaum pairing, a proof of its nondegeneracy, and a proof of the equality of two common definitions of the Weil pairing. 5. Doud’s analytic method for computing torsion on elliptic curves over Q. 6. Some additional techniques for determining the group of points for an elliptic curve over a finite field. 7. A discussion of how to do computations with elliptic curves in some popular computer algebra systems. 8. Several more exercises. Thanks are due to many people, especially Susan Schmoyer, Juliana Belding, Tsz Wo Nicholas Sze, Enver Ozdemir, Qiao Zhang,and Koichiro Harada for helpful suggestions. Several people sent comments and corrections for the first edition, and we are very thankful for their input. We have incorporated most of these into the present edition. Of course, we welcome comments and corrections for the present edition ([email protected]). Corrections will be listed on the web site for the book (www.math.umd.edu/∼lcw/ellipticcurves.html).

xi

Suggestions to the Reader

This book is intended for at least two audiences. One is computer scientists and cryptographers who want to learn about elliptic curves. The other is for mathematicians who want to learn about the number theory and geometry of elliptic curves. Of course, there is some overlap between the two groups. The author of course hopes the reader wants to read the whole book. However, for those who want to start with only some of the chapters, we make the following suggestions. Everyone: A basic introduction to the subject is contained in Chapters 1, 2, 3, 4. Everyone should read these. I. Cryptographic Track: Continue with Chapters 5, 6, 7. Then go to Chapters 11 and 13. II. Number Theory Track: Read Chapters 8, 9, 10, 11, 12, 14, 15. Then go back and read the chapters you skipped since you should know how the subject is being used in applications. III. Complex Track: Read Chapters 9 and 10, plus Section 12.1.

xiii

Contents

1 Introduction Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 The 2.1 2.2 2.3 2.4

Basic Theory Weierstrass Equations . . . . . . . . . . . . . . The Group Law . . . . . . . . . . . . . . . . . Projective Space and the Point at Infinity . . . Proof of Associativity . . . . . . . . . . . . . . 2.4.1 The Theorems of Pappus and Pascal . . 2.5 Other Equations for Elliptic Curves . . . . . . 2.5.1 Legendre Equation . . . . . . . . . . . . 2.5.2 Cubic Equations . . . . . . . . . . . . . 2.5.3 Quartic Equations . . . . . . . . . . . . 2.5.4 Intersection of Two Quadratic Surfaces 2.6 Other Coordinate Systems . . . . . . . . . . . 2.6.1 Projective Coordinates . . . . . . . . . . 2.6.2 Jacobian Coordinates . . . . . . . . . . 2.6.3 Edwards Coordinates . . . . . . . . . . 2.7 The j-invariant . . . . . . . . . . . . . . . . . . 2.8 Elliptic Curves in Characteristic 2 . . . . . . . 2.9 Endomorphisms . . . . . . . . . . . . . . . . . 2.10 Singular Curves . . . . . . . . . . . . . . . . . 2.11 Elliptic Curves mod n . . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . . . .

3 Torsion Points 3.1 Torsion Points . . . . 3.2 Division Polynomials 3.3 The Weil Pairing . . . 3.4 The Tate-Lichtenbaum Exercises . . . . . . . . . .

1 8

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . . . . . .

9 9 12 18 20 33 35 35 36 37 39 42 42 43 44 45 47 50 59 64 71

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

77 77 80 86 90 92

4 Elliptic Curves over Finite Fields 4.1 Examples . . . . . . . . . . . . . 4.2 The Frobenius Endomorphism . 4.3 Determining the Group Order . 4.3.1 Subfield Curves . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

95 95 98 102 102

. . . . . . . . . . . . . . . Pairing . . . . .

xv

xvi 4.3.2 Legendre Symbols . . 4.3.3 Orders of Points . . . 4.3.4 Baby Step, Giant Step 4.4 A Family of Curves . . . . . 4.5 Schoof’s Algorithm . . . . . 4.6 Supersingular Curves . . . . Exercises . . . . . . . . . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

. . . . . . .

104 106 112 115 123 130 139

5 The Discrete Logarithm Problem 5.1 The Index Calculus . . . . . . . . . 5.2 General Attacks on Discrete Logs . 5.2.1 Baby Step, Giant Step . . . . 5.2.2 Pollard’s ρ and λ Methods . . 5.2.3 The Pohlig-Hellman Method 5.3 Attacks with Pairings . . . . . . . . 5.3.1 The MOV Attack . . . . . . . 5.3.2 The Frey-R¨ uck Attack . . . . 5.4 Anomalous Curves . . . . . . . . . . 5.5 Other Attacks . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

143 144 146 146 147 151 154 154 157 159 165 166

6 Elliptic Curve Cryptography 6.1 The Basic Setup . . . . . . . . . . . . . . . 6.2 Diffie-Hellman Key Exchange . . . . . . . . 6.3 Massey-Omura Encryption . . . . . . . . . 6.4 ElGamal Public Key Encryption . . . . . 6.5 ElGamal Digital Signatures . . . . . . . . . 6.6 The Digital Signature Algorithm . . . . . . 6.7 ECIES . . . . . . . . . . . . . . . . . . . . 6.8 A Public Key Scheme Based on Factoring . 6.9 A Cryptosystem Based on the Weil Pairing Exercises . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

169 169 170 173 174 175 179 180 181 184 187

7 Other Applications 7.1 Factoring Using Elliptic Curves . . . . . . . . . . . . . . . . 7.2 Primality Testing . . . . . . . . . . . . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

189 189 194 197

8 Elliptic Curves over Q 8.1 The Torsion Subgroup. The Lutz-Nagell Theorem 8.2 Descent and the Weak Mordell-Weil Theorem . . 8.3 Heights and the Mordell-Weil Theorem . . . . . . 8.4 Examples . . . . . . . . . . . . . . . . . . . . . . . 8.5 The Height Pairing . . . . . . . . . . . . . . . . . 8.6 Fermat’s Infinite Descent . . . . . . . . . . . . . .

199 199 208 215 223 230 231

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

xvii 8.7 2-Selmer Groups; Shafarevich-Tate Groups 8.8 A Nontrivial Shafarevich-Tate Group . . . 8.9 Galois Cohomology . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

236 239 244 253

9 Elliptic Curves over C 9.1 Doubly Periodic Functions . . . . . . . 9.2 Tori are Elliptic Curves . . . . . . . . . 9.3 Elliptic Curves over C . . . . . . . . . . 9.4 Computing Periods . . . . . . . . . . . 9.4.1 The Arithmetic-Geometric Mean 9.5 Division Polynomials . . . . . . . . . . 9.6 The Torsion Subgroup: Doud’s Method Exercises . . . . . . . . . . . . . . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

. . . . . . . .

257 257 267 272 286 288 294 302 307

10 Complex Multiplication 10.1 Elliptic Curves over C . . 10.2 Elliptic Curves over Finite 10.3 Integrality of j-invariants 10.4 Numerical Examples . . . 10.5 Kronecker’s Jugendtraum Exercises . . . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

311 311 318 322 330 336 337

11 Divisors 11.1 Definitions and Examples . . . . . . . . . . . . . 11.2 The Weil Pairing . . . . . . . . . . . . . . . . . . 11.3 The Tate-Lichtenbaum Pairing . . . . . . . . . . 11.4 Computation of the Pairings . . . . . . . . . . . 11.5 Genus One Curves and Elliptic Curves . . . . . 11.6 Equivalence of the Definitions of the Pairings . . 11.6.1 The Weil Pairing . . . . . . . . . . . . . . 11.6.2 The Tate-Lichtenbaum Pairing . . . . . . 11.7 Nondegeneracy of the Tate-Lichtenbaum Pairing Exercises . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

339 339 349 354 358 364 370 371 374 375 379

. . . . . .

381 381 386 392 396 401 402

12 Isogenies 12.1 The Complex Theory 12.2 The Algebraic Theory 12.3 V´elu’s Formulas . . . 12.4 Point Counting . . . . 12.5 Complements . . . . . Exercises . . . . . . . . . .

. . . . . .

. . . . . .

. . . . Fields . . . . . . . . . . . . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

. . . . . .

xviii 13 Hyperelliptic Curves 13.1 Basic Definitions . . . . . . . . . 13.2 Divisors . . . . . . . . . . . . . . 13.3 Cantor’s Algorithm . . . . . . . 13.4 The Discrete Logarithm Problem Exercises . . . . . . . . . . . . . . . .

. . . . .

407 407 409 417 420 426

14 Zeta Functions 14.1 Elliptic Curves over Finite Fields . . . . . . . . . . . . . . . . 14.2 Elliptic Curves over Q . . . . . . . . . . . . . . . . . . . . . . Exercises . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

429 429 433 442

15 Fermat’s Last Theorem 15.1 Overview . . . . . . . . 15.2 Galois Representations 15.3 Sketch of Ribet’s Proof 15.4 Sketch of Wiles’s Proof

445 445 448 454 461

. . . .

. . . .

. . . .

. . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . . .

. . . .

. . . .

A Number Theory

471

B Groups

477

C Fields

481

D Computer Packages D.1 Pari . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.2 Magma . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D.3 SAGE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

489 489 492 494

References

501

Index

509

Chapter 1 Introduction Suppose a collection of cannonballs is piled in a square pyramid with one ball on the top layer, four on the second layer, nine on the third layer, etc. If the pile collapses, is it possible to rearrange the balls into a square array?

Figure 1.1

A Pyramid of Cannonballs

If the pyramid has three layers, then this cannot be done since there are 1 + 4 + 9 = 14 balls, which is not a perfect square. Of course, if there is only one ball, it forms a height one pyramid and also a one-by-one square. If there are no cannonballs, we have a height zero pyramid and a zero-by-zero square. Besides theses trivial cases, are there any others? We propose to find another example, using a method that goes back to Diophantus (around 250 A.D.). If the pyramid has height x, then there are 12 + 22 + 32 + · · · + x2 =

x(x + 1)(2x + 1) 6

balls (see Exercise 1.1). We want this to be a perfect square, which means that we want to find a solution to y2 =

x(x + 1)(2x + 1) 6 1

2

CHAPTER 1 INTRODUCTION

Figure 1.2

y 2 = x(x + 1)(2x + 1)/6 in positive integers x, y. An equation of this type represents an elliptic curve. The graph is given in Figure 1.2. The method of Diophantus uses the points we already know to produce new points. Let’s start with the points (0,0) and (1,1). The line through these two points is y = x. Intersecting with the curve gives the equation x2 =

1 x(x + 1)(2x + 1) 1 1 = x3 + x2 + x. 6 3 2 6

Rearranging yields 3 1 x3 − x2 + x = 0. 2 2 Fortunately, we already know two roots of this equation: x = 0 and x = 1. This is because the roots are the x-coordinates of the intersections between the line and the curve. We could factor the polynomial to find the third root, but there is a better way. Note that for any numbers a, b, c, we have (x − a)(x − b)(x − c) = x3 − (a + b + c)x2 + (ab + ac + bc)x − abc. Therefore, when the coefficient of x3 is 1, the negative of the coefficient of x2 is the sum of the roots. In our case, we have roots 0, 1, and x, so 0+1+x=

3 . 2

Therefore, x = 1/2. Since the line was y = x, we have y = 1/2, too. It’s hard to say what this means in terms of piles of cannonballs, but at least we have found another point on the curve. In fact, we automatically have even one more point, namely (1/2, −1/2), because of the symmetry of the curve.

INTRODUCTION

3

Let’s repeat the above procedure using the points (1/2, −1/2) and (1, 1). Why do we use these points? We are looking for a point of intersection somewhere in the first quadrant, and the line through these two points seems to be the best choice. The line is easily seen to be y = 3x − 2. Intersecting with the curve yields (3x − 2)2 =

x(x + 1)(2x + 1) . 6

This can be rearranged to obtain x3 −

51 2 x + · · · = 0. 2

(By the above trick, we will not need the lower terms.) We already know the roots 1/2 and 1, so we obtain 1 51 +1+x= , 2 2 or x = 24. Since y = 3x − 2, we find that y = 70. This means that 12 + 22 + 32 + · · · + 242 = 702 . If we have 4900 cannonballs, we can arrange them in a pyramid of height 24, or put them in a 70-by-70 square. If we keep repeating the above procedure, for example, using the point just found as one of our points, we’ll obtain infinitely many rational solutions to our equation. However, it can be shown that (24, 70) is the only solution to our problem in positive integers other than the trivial solution with x = 1. This requires more sophisticated techniques and we omit the details. See [5]. Here is another example of Diophantus’s method. Is there a right triangle with rational sides with area equal to 5? The smallest Pythagorean triple (3,4,5) yields a triangle with area 6, so we see that we cannot restrict our attention to integers. Now look at the triangle with sides (8, 15, 17). This yields a triangle with area 60. If we divide the sides by 2, we end up with a triangle with sides (4, 15/2, 17/2) and area 15. So it is possible to have nonintegral sides but integral area. Let the triangle we are looking for have sides a, b, c, as in Figure 1.3. Since the area is ab/2 = 5, we are looking for rational numbers a, b, c such that a2 + b2 = c2 ,

ab = 10.

A little manipulation yields
2 a+b c2 + 20  c 2 a2 + 2ab + b2 = = = + 5, 2 4 4 2 2
c2 − 20  c 2 a−b a2 − 2ab + b2 = = = − 5. 2 4 4 2

4

CHAPTER 1 INTRODUCTION

c b

a Figure 1.3

Let x = (c/2)2 . Then we have x − 5 = ((a − b)/2)2

and

x + 5 = ((a + b)/2)2 .

We are therefore looking for a rational number x such that x − 5,

x,

x+5

are simultaneously squares of rational numbers. Another way to say this is that we want three squares of rational numbers to be in an arithmetical progression with difference 5. Suppose we have such a number x. Then the product (x − 5)(x)(x + 5) = x3 − 25x must also be a square, so we need a rational solution to y 2 = x3 − 25x. As above, this is the equation of an elliptic curve. Of course, if we have such a rational solution, we are not guaranteed that there will be a corresponding rational triangle (see Exercise 1.2). However, once we have a rational solution with y = 0, we can use it to obtain another solution that does correspond to a rational triangle (see Exercise 1.2). This is what we’ll do below. For future use, we record that  c 2 (a2 − b2 )c (a − b)(c)(a + b) 1/2 = . , y = ((x − 5)(x)(x + 5)) = x= 2 8 8 There are three “obvious” points on the curve: (−5, 0), (0, 0), (5, 0). These do not help us much. They do not yield triangles and the line through any two of them intersects the curve in the remaining point. A small search yields the point (−4, 6). The line through this point and any one of the three other points yields nothing useful. The only remaining possibility is to take the line through (−4, 6) and itself, namely, the tangent line to the curve at the (−4, 6). Implicit differentiation yields 2yy
= 3x2 − 25,

y
=

23 3x2 − 25 = . 2y 12

INTRODUCTION

5

The tangent line is therefore y=

41 23 x+ . 12 3

Intersecting with the curve yields
2 23 41 x+ = x3 − 25x, 12 3 which implies 3

x −




23 12

2

x2 + · · · = 0.

Since the line is tangent to the curve at (−4, 6), the root x = −4 is a double root. Therefore the sum of the roots is
2 23 −4 − 4 + x = . 12 We obtain x = 1681/144 = (41/12)2 . The equation of the line yields y = 62279/1728. Since x = (c/2)2 , we obtain c = 41/6. Therefore, (a2 − b2 )c 41(a2 − b2 ) 62279 =y= = . 1728 8 48 This yields a2 − b2 = Since

1519 . 36

a2 + b2 = c2 = (41/6)2 ,

we solve to obtain a2 = 400/9 and b2 = 9/4. We obtain a triangle (see Figure 1.4) with 20 3 41 a= , b= , c= , 3 2 6 which has area 5. This is, of course, the (40, 9, 41) triangle rescaled by a factor of 6. There are infinitely many other solutions. These can be obtained by successively repeating the above procedure, for example, starting with the point just found (see Exercise 1.4). The question of which integers n can occur as areas of right triangles with rational sides is known as the congruent number problem. Another formulation, as we saw above, is whether there are three rational squares in arithmetic progression with difference n. It appears in Arab manuscripts around 900 A.D. A conjectural answer to the problem was proved by Tunnell in the 1980s [122]. Recall that an integer n is called squarefree if n is not

6

CHAPTER 1 INTRODUCTION

41






6

3



2

20






3 Figure 1.4

a multiple of any perfect square other than 1. For example, 5 and 15 are squarefree, while 24 and 75 are not. CONJECTURE 1.1 Let n be an odd, squarefree, positive integer. Then n can be expressed as the area of a right triangle with rational sides if and only if the number of integer solutions to 2x2 + y 2 + 8z 2 = n with z even equals the number of solutions with z odd. Let n = 2m with m odd, squarefree, and positive. Then n can be expressed as the area of a right triangle with rational sides if and only if the number of integer solutions to 4x2 + y 2 + 8z 2 = m with z even equals the number of integer solutions with z odd. Tunnell [122] proved that if there is a triangle with area n, then the number of odd solutions equals the number of even solutions. However, the proof of the converse, namely that the condition on the number of solutions implies the existence of a triangle of area n, uses the Conjecture of Birch and SwinnertonDyer, which is not yet proved (see Chapter 14). For example, consider n = 5. There are no solutions to 2x2 + y 2 + 8z 2 = 5. Since 0 = 0, the condition is trivially satisfied and the existence of a triangle of area 5 is predicted. Now consider n = 1. The solutions to 2x2 +y 2 +8z 2 = 1 are (x, y, z) = (0, 1, 0) and (0, −1, 0), and both have z even. Since 2 = 0, there is no rational right triangle of area 1. This was first proved by Fermat by his method of descent (see Chapter 8). For a nontrivial example, consider n = 41. The solutions to 2x2 +y 2 +8z 2 = 41 are (±4, ±3, 0), (±4, ±1, ±1), (±2, ±5, ±1), (±2, ±1, ±2), (0, ±3, ±2)

INTRODUCTION

7

(all possible combinations of plus and minus signs are allowed). There are 32 solutions in all. There are 16 solutions with z even and 16 with z odd. Therefore, we expect a triangle with area 41. The same method as above, using the tangent line at the point (−9, 120) to the curve y 2 = x3 − 412 x, yields the triangle with sides (40/3, 123/20, 881/60) and area 41. For much more on the congruent number problem, see [64]. Finally, let’s consider the quartic Fermat equation. We want to show that a4 + b4 = c4

(1.1)

has no solutions in nonzero integers a, b, c. This equation represents the easiest case of Fermat’s Last Theorem, which asserts that the sum of two nonzero nth powers of integers cannot be a nonzero nth power when n ≥ 3. This general result was proved by Wiles (using work of Frey, Ribet, Serre, Mazur, Taylor, ...) in 1994 using properties of elliptic curves. We’ll discuss some of these ideas in Chapter 15, but, for the moment, we restrict our attention to the much easier case of n = 4. The first proof in this case was due to Fermat. Suppose a4 + b4 = c4 with a = 0. Let x=2

b2 + c2 , a2

y=4

b(b2 + c2 ) a3

(see Example 2.2). A straightforward calculation shows that y 2 = x3 − 4x. In Chapter 8 we’ll show that the only rational solutions to this equation are (x, y) = (0, 0), (2, 0), (−2, 0). These all correspond to b = 0, so there are no nontrivial integer solutions of (1.1). The cubic Fermat equation also can be changed to an elliptic curve. Suppose that a3 + b3 = c3 and abc = 0. Since a3 + b3 = (a + b)(a2 − ab + b2 ), we must have a + b = 0. Let x = 12 Then

c , a+b

y = 36

a−b . a+b

y 2 = x3 − 432.

(Where did this change of variables come from? See Section 2.5.2.) It can be shown (but this is not easy) that the only rational solutions to this equation are (x, y) = (12, ±36). The case y = 36 yields a−b = a+b, so b = 0. Similarly, y = −36 yields a = 0. Therefore, there are no solutions to a3 + b3 = c3 when abc = 0.

8

CHAPTER 1 INTRODUCTION

Exercises 1.1 Use induction to show that 12 + 22 + 32 + · · · + x2 =

x(x + 1)(2x + 1) 6

for all integers x ≥ 0. 1.2 (a) Show that if x, y are rational numbers satisfying y 2 = x3 − 25x and x is a square of a rational number, then this does not imply that x + 5 and x − 5 are squares. (Hint: Let x = 25/4.) (b) Let n be an integer. Show that if x, y are rational numbers satisfying y 2 = x3 − n2 x, and x = 0, ±n, then the tangent line to this curve at (x, y) intersects the curve in a point (x1 , y1 ) such that x1 , x1 − n, x1 + n are squares of rational numbers. (For a more general statement, see Theorem 8.14.) This shows that the method used in the text is guaranteed to produce a triangle of area n if we can find a starting point with x = 0, ±n. 1.3 Diophantus did not work with analytic geometry and certainly did not know how to use implicit differentiation to find the slope of the tangent line. Here is how he could find the tangent to y 2 = x3 − 25x at the point (−4, 6). It appears that Diophantus regarded this simply as an algebraic trick. Newton seems to have been the first to recognize the connection with finding tangent lines. (a) Let x = −4 + t, y = 6 + mt. Substitute into y 2 = x3 − 25x. This yields a cubic equation in t that has t = 0 as a root. (b) Show that choosing m = 23/12 makes t = 0 a double root. (c) Find the nonzero root t of the cubic and use this to produce x = 1681/144 and y = 62279/1728. 1.4 Use the tangent line at (x, y) = (1681/144, 62279/1728) to find another right triangle with area 5. 1.5 Show that the change of variables x1 = 12x + 6, y1 = 72y changes the curve y12 = x31 − 36x1 to y 2 = x(x + 1)(2x + 1)/6.

Chapter 2 The Basic Theory

2.1 Weierstrass Equations For most situations in this book, an elliptic curve E is the graph of an equation of the form y 2 = x3 + Ax + B, where A and B are constants. This will be referred to as the Weierstrass equation for an elliptic curve. We will need to specify what set A, B, x, and y belong to. Usually, they will be taken to be elements of a field, for example, the real numbers R, the complex numbers C, the rational numbers Q, one of the finite fields Fp (= Zp ) for a prime p, or one of the finite fields Fq , where q = pk with k ≥ 1. In fact, for almost all of this book, the reader who is not familiar with fields may assume that a field means one of the fields just listed. If K is a field with A, B ∈ K, then we say that E is defined over K. Throughout this book, E and K will implicitly be assumed to denote an elliptic curve and a field over which E is defined. If we want to consider points with coordinates in some field L ⊇ K, we write E(L). By definition, this set always contains the point ∞ defined later in this section:   E(L) = {∞} ∪ (x, y) ∈ L × L | y 2 = x3 + Ax + B . It is not possible to draw meaningful pictures of elliptic curves over most fields. However, for intuition, it is useful to think in terms of graphs over the real numbers. These have two basic forms, depicted in Figure 2.1. The cubic y 2 = x3 − x in the first case has three distinct real roots. In the second case, the cubic y 2 = x3 + x has only one real root. What happens if there is a multiple root? We don’t allow this. Namely, we assume that 4A3 + 27B 2 = 0. If the roots of the cubic are r1 , r2 , r3 , then it can be shown that the discriminant of the cubic is 2

((r1 − r2 )(r1 − r3 )(r2 − r3 )) = −(4A3 + 27B 2 ). 9

10

CHAPTER 2

(a)

THE BASIC THEORY

y 2 = x3 − x

(b)

y 2 = x3 + x

Figure 2.1

Therefore, the roots of the cubic must be distinct. However, the case where the roots are not distinct is still interesting and will be discussed in Section 2.10. In order to have a little more flexibility, we also allow somewhat more general equations of the form y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 ,

(2.1)

where a1 , . . . , a6 are constants. This more general form (we’ll call it the generalized Weierstrass equation) is useful when working with fields of characteristic 2 and characteristic 3. If the characteristic of the field is not 2, then we can divide by 2 and complete the square:
2
    a3 a1 x a3 2 a2 a1 a3  y+ + x+ + a6 , = x3 + a2 + 1 x2 + a4 + 2 2 4 2 4 which can be written as y12 = x3 + a
2 x2 + a
4 x + a
6 , with y1 = y + a1 x/2 + a3 /2 and with some constants a
2 , a
4 , a
6 . If the characteristic is also not 3, then we can let x1 = x + a
2 /3 and obtain y12 = x31 + Ax1 + B, for some constants A, B.

SECTION 2.1 WEIERSTRASS EQUATIONS

11

In most of this book, we will develop the theory using the Weierstrass equation, occasionally pointing out what modifications need to be made in characteristics 2 and 3. In Section 2.8, we discuss the case of characteristic 2 in more detail, since the formulas for the (nongeneralized) Weierstrass equation do not apply. In contrast, these formulas are correct in characteristic 3 for curves of the form y 2 = x3 + Ax + B, but there are curves that are not of this form. The general case for characteristic 3 can be obtained by using the present methods to treat curves of the form y 2 = x3 + Cx2 + Ax + B. Finally, suppose we start with an equation cy 2 = dx3 + ax + b with c, d = 0. Multiply both sides of the equation by c3 d2 to obtain (c2 dy)2 = (cdx)3 + (ac2 d)(cdx) + (bc3 d2 ). The change of variables y1 = c2 dy,

x1 = cdx

yields an equation in Weierstrass form. Later in this chapter, we will meet other types of equations that can be transformed into Weierstrass equations for elliptic curves. These will be useful in certain contexts. For technical reasons, it is useful to add a point at infinity to an elliptic curve. In Section 2.3, this concept will be made rigorous. However, it is easiest to regard it as a point (∞, ∞), usually denoted simply by ∞, sitting at the top of the y-axis. For computational purposes, it will be a formal symbol satisfying certain computational rules. For example, a line is said to pass through ∞ exactly when this line is vertical (i.e., x =constant). The point ∞ might seem a little unnatural, but we will see that including it has very useful consequences. We now make one more convention regarding ∞. It not only is at the top of the y-axis, it is also at the bottom of the y-axis. Namely, we think of the ends of the y-axis as wrapping around and meeting (perhaps somewhere in the back behind the page) in the point ∞. This might seem a little strange. However, if we are working with a field other than the real numbers, for example, a finite field, then there might not be any meaningful ordering of the elements and therefore distinguishing a top and a bottom of the y-axis might not make sense. In fact, in this situation, the ends of the y-axis do not have meaning until we introduce projective coordinates in Section 2.3. This is why it is best to regard ∞ as a formal symbol satisfying certain properties. Also, we have arranged that two vertical lines meet at ∞. By symmetry, if they meet at the top of the y-axis, they should also meet at the bottom. But two lines should intersect in only one point, so the “top ∞” and the “bottom ∞” need to be the same. In any case, this will be a useful property of ∞.

12

CHAPTER 2

THE BASIC THEORY

2.2 The Group Law As we saw in Chapter 1, we could start with two points, or even one point, on an elliptic curve, and produce another point. We now examine this process in more detail.

P’ 3

P2

P1

P3

Figure 2.2

Adding Points on an Elliptic Curve

Start with two points P1 = (x1 , y1 ),

P2 = (x2 , y2 )

on an elliptic curve E given by the equation y 2 = x3 + Ax + B. Define a new point P3 as follows. Draw the line L through P1 and P2 . We’ll see below that L intersects E in a third point P3
. Reflect P3
across the x-axis (i.e., change the sign of the y-coordinate) to obtain P3 . We define P1 + P 2 = P3 . Examples below will show that this is not the same as adding coordinates of the points. It might be better to denote this operation by P1 +E P2 , but we opt for the simpler notation since we will never be adding points by adding coordinates. Assume first that P1 = P2 and that neither point is ∞. Draw the line L through P1 and P2 . Its slope is y2 − y1 m= . x2 − x1

SECTION 2.2 THE GROUP LAW

13

If x1 = x2 , then L is vertical. We’ll treat this case later, so let’s assume that x1 = x2 . The equation of L is then y = m(x − x1 ) + y1 . To find the intersection with E, substitute to get 2

(m(x − x1 ) + y1 ) = x3 + Ax + B. This can be rearranged to the form 0 = x3 − m2 x2 + · · · . The three roots of this cubic correspond to the three points of intersection of L with E. Generally, solving a cubic is not easy, but in the present case we already know two of the roots, namely x1 and x2 , since P1 and P2 are points on both L and E. Therefore, we could factor the cubic to obtain the third value of x. But there is an easier way. As in Chapter 1, if we have a cubic polynomial x3 + ax2 + bx + c with roots r, s, t, then x3 + ax2 + bx + c = (x − r)(x − s)(x − t) = x3 − (r + s + t)x2 + · · · . Therefore, r + s + t = −a. If we know two roots r, s, then we can recover the third as t = −a − r − s. In our case, we obtain x = m2 − x1 − x2 and y = m(x − x1 ) + y1 . Now, reflect across the x-axis to obtain the point P3 = (x3 , y3 ): x3 = m2 − x1 − x2 ,

y3 = m(x1 − x3 ) − y1 .

In the case that x1 = x2 but y1 = y2 , the line through P1 and P2 is a vertical line, which therefore intersects E in ∞. Reflecting ∞ across the x-axis yields the same point ∞ (this is why we put ∞ at both the top and the bottom of the y-axis). Therefore, in this case P1 + P2 = ∞. Now consider the case where P1 = P2 = (x1 , y1 ). When two points on a curve are very close to each other, the line through them approximates a tangent line. Therefore, when the two points coincide, we take the line L through them to be the tangent line. Implicit differentiation allows us to find the slope m of L: 2y

dy = 3x2 + A, dx

so

m=

3x2 + A dy = 1 . dx 2y1

14

CHAPTER 2

THE BASIC THEORY

If y1 = 0 then the line is vertical and we set P1 +P2 = ∞, as before. (Technical point: if y1 = 0, then the numerator 3x21 +A = 0. See Exercise 2.5.) Therefore, assume that y1 = 0. The equation of L is y = m(x − x1 ) + y1 , as before. We obtain the cubic equation 0 = x3 − m2 x2 + · · · . This time, we know only one root, namely x1 , but it is a double root since L is tangent to E at P1 . Therefore, proceeding as before, we obtain x3 = m2 − 2x1 ,

y3 = m(x1 − x3 ) − y1 .

Finally, suppose P2 = ∞. The line through P1 and ∞ is a vertical line that intersects E in the point P1
that is the reflection of P1 across the x-axis. When we reflect P1
across the x-axis to get P3 = P1 + P2 , we are back at P1 . Therefore P1 + ∞ = P1 for all points P1 on E. Of course, we extend this to include ∞ + ∞ = ∞. Let’s summarize the above discussion: GROUP LAW Let E be an elliptic curve defined by y 2 = x3 + Ax + B. Let P1 = (x1 , y1 ) and P2 = (x2 , y2 ) be points on E with P1 , P2 = ∞. Define P1 + P2 = P3 = (x3 , y3 ) as follows: 1. If x1 = x2 , then x3 = m2 − x1 − x2 ,

y3 = m(x1 − x3 ) − y1 ,

where m =

y2 − y1 . x2 − x1

2. If x1 = x2 but y1 = y2 , then P1 + P2 = ∞. 3. If P1 = P2 and y1 = 0, then x3 = m2 − 2x1 ,

y3 = m(x1 − x3 ) − y1 ,

4. If P1 = P2 and y1 = 0, then P1 + P2 = ∞. Moreover, define P +∞=P for all points P on E.

where m =

3x21 + A . 2y1

SECTION 2.2 THE GROUP LAW

15

Note that when P1 and P2 have coordinates in a field L that contains A and B, then P1 + P2 also has coordinates in L. Therefore E(L) is closed under the above addition of points. This addition of points might seem a little unnatural. Later (in Chapters 9 and 11), we’ll interpret it as corresponding to some very natural operations, but, for the present, let’s show that it has some nice properties. THEOREM 2.1 The addition of points on an elliptic curve E satisfies the following properties: 1. (commutativity) P1 + P2 = P2 + P1 for all P1 , P2 on E. 2. (existence of identity) P + ∞ = P for all points P on E. 3. (existence of inverses) Given P on E, there exists P
on E with P +P
= ∞. This point P
will usually be denoted −P . 4. (associativity) (P1 + P2 ) + P3 = P1 + (P2 + P3 ) for all P1 , P2 , P3 on E. In other words, the points on E form an additive abelian group with ∞ as the identity element. PROOF The commutativity is obvious, either from the formulas or from the fact that the line through P1 and P2 is the same as the line through P2 and P1 . The identity property of ∞ holds by definition. For inverses, let P
be the reflection of P across the x-axis. Then P + P
= ∞. Finally, we need to prove associativity. This is by far the most subtle and nonobvious property of the addition of points on E. It is possible to define many laws of composition satisfying (1), (2), (3) for points on E, either simpler or more complicated than the one being considered. But it is very unlikely that such a law will be associative. In fact, it is rather surprising that the law of composition that we have defined is associative. After all, we start with two points P1 and P2 and perform a certain procedure to obtain a third point P1 + P2 . Then we repeat the procedure with P1 + P2 and P3 to obtain (P1 + P2 ) + P3 . If we instead start by adding P2 and P3 , then computing P1 + (P2 + P3 ), there seems to be no obvious reason that this should give the same point as the other computation. The associative law can be verified by calculation with the formulas. There are several cases, depending on whether or not P1 = P2 , and whether or not P3 = (P1 + P2 ), etc., and this makes the proof rather messy. However, we prefer a different approach, which we give in Section 2.4. Warning: For the Weierstrass equation, if P = (x, y), then −P = (x, −y). For the generalized Weierstrass equation (2.1), this is no longer the case. If P = (x, y) is on the curve described by (2.1), then (see Exercise 2.9) −P = (x, −a1 x − a3 − y).

16

CHAPTER 2

THE BASIC THEORY

Example 2.1 The calculations of Chapter 1 can now be interpreted as adding points on elliptic curves. On the curve y2 =

x(x + 1)(2x + 1) , 6

we have 1 1 1 1 (0, 0) + (1, 1) = ( , − ), ( , − ) + (1, 1) = (24, −70). 2 2 2 2 On the curve y 2 = x3 − 25x,


we have 2(−4, 6) = (−4, 6) + (−4, 6) =

1681 62279 ,− 144 1728

 .

We also have (0, 0) + (−5, 0) = (5, 0),

2(0, 0) = 2(−5, 0) = 2(5, 0) = ∞.

The fact that the points on an elliptic curve form an abelian group is behind most of the interesting properties and applications. The question arises: what can we say about the groups of points that we obtain? Here are some examples. 1. An elliptic curve over a finite field has only finitely many points with coordinates in that finite field. Therefore, we obtain a finite abelian group in this case. Properties of such groups, and applications to cryptography, will be discussed in later chapters. 2. If E is an elliptic curve defined over Q, then E(Q) is a finitely generated abelian group. This is the Mordell-Weil theorem, which we prove in Chapter 8. Such a group is isomorphic to Zr ⊕ F for some r ≥ 0 and some finite group F . The integer r is called the rank of E(Q). Determining r is fairly difficult in general. It is not known whether r can be arbitrarily large. At present, there are elliptic curves known with rank at least 28. The finite group F is easy to compute using the LutzNagell theorem of Chapter 8. Moreover, a deep theorem of Mazur says that there are only finitely many possibilities for F , as E ranges over all elliptic curves defined over Q. 3. An elliptic curve over the complex numbers C is isomorphic to a torus. This will be proved in Chapter 9. The usual way to obtain a torus is as C/L, where L is a lattice in C. The usual addition of complex numbers induces a group law on C/L that corresponds to the group law on the elliptic curve under the isomorphism between the torus and the elliptic curve.

SECTION 2.2 THE GROUP LAW

17

Figure 2.3

An Elliptic Curve over C 4. If E is defined over R, then E(R) is isomorphic to the unit circle S 1 or to S 1 ⊕ Z2 . The first case corresponds to the case where the cubic polynomial x3 + Ax + B has only one real root (think of the ends of the graph in Figure 2.1(b) as being hitched together at the point ∞ to get a loop). The second case corresponds to the case where the cubic has three real roots. The closed loop in Figure 2.1(a) is the set S 1 ⊕ {1}, while the open-ended loop can be closed up using ∞ to obtain the set S 1 ⊕ {0}. If we have an elliptic curve E defined over R, then we can consider its complex points E(C). These form a torus, as in (3) above. The real points E(R) are obtained by intersecting the torus with a plane. If the plane passes through the hole in the middle, we obtain a curve as in Figure 2.1(a). If it does not pass through the hole, we obtain a curve as in Figure 2.1(b) (see Section 9.3). If P is a point on an elliptic curve and k is a positive integer, then kP denotes P + P + · · · + P (with k summands). If k < 0, then kP = (−P ) + (−P ) + · · · (−P ), with |k| summands. To compute kP for a large integer k, it is inefficient to add P to itself repeatedly. It is much faster to use successive doubling. For example, to compute 19P , we compute 2P,

4P = 2P +2P,

8P = 4P +4P,

16P = 8P +8P,

19P = 16P +2P +P.

This method allows us to compute kP for very large k, say of several hundred digits, very quickly. The only difficulty is that the size of the coordinates of the points increases very rapidly if we are working over the rational numbers (see Theorem 8.18). However, when we are working over a finite field, for example Fp , this is not a problem because we can continually reduce mod p and thus keep the numbers involved relatively small. Note that the associative

18

CHAPTER 2

THE BASIC THEORY

law allows us to make these computations without worrying about what order we use to combine the summands. The method of successive doubling can be stated in general as follows: INTEGER TIMES A POINT Let k be a positive integer and let P be a point on an elliptic curve. The following procedure computes kP . 1. Start with a = k, B = ∞, C = P . 2. If a is even, let a = a/2, and let B = B, C = 2C. 3. If a is odd, let a = a − 1, and let B = B + C, C = C. 4. If a = 0, go to step 2. 5. Output B. The output B is kP (see Exercise 2.8). On the other hand, if we are working over a large finite field and are given points P and kP , it is very difficult to determine the value of k. This is called the discrete logarithm problem for elliptic curves and is the basis for the cryptographic applications that will be discussed in Chapter 6.

2.3 Projective Space and the Point at Infinity We all know that parallel lines meet at infinity. Projective space allows us to make sense out of this statement and also to interpret the point at infinity on an elliptic curve. Let K be a field. Two-dimensional projective space P2K over K is given by equivalence classes of triples (x, y, z) with x, y, z ∈ K and at least one of x, y, z nonzero. Two triples (x1 , y1 , z1 ) and (x2 , y2 , z2 ) are said to be equivalent if there exists a nonzero element λ ∈ K such that (x1 , y1 , z1 ) = (λx2 , λy2 , λz2 ). We write (x1 , y1 , z1 ) ∼ (x2 , y2 , z2 ). The equivalence class of a triple only depends on the ratios of x to y to z. Therefore, the equivalence class of (x, y, z) is denoted (x : y : z). If (x : y : z) is a point with z = 0, then (x : y : z) = (x/z : y/z : 1). These are the “finite” points in P2K . However, if z = 0 then dividing by z should be thought of as giving ∞ in either the x or y coordinate, and therefore the points (x : y : 0) are called the “points at infinity” in P2K . The point at

SECTION 2.3

PROJECTIVE SPACE AND THE POINT AT INFINITY

19

infinity on an elliptic curve will soon be identified with one of these points at infinity in P2K . The two-dimensional affine plane over K is often denoted A2K = {(x, y) ∈ K × K}. We have an inclusion A2K → P2K given by (x, y) → (x : y : 1). In this way, the affine plane is identified with the finite points in P2K . Adding the points at infinity to obtain P2K can be viewed as a way of “compactifying” the plane (see Exercise 2.10). A polynomial is homogeneous of degree n if it is a sum of terms of the form axi y j z k with a ∈ K and i + j + k = n. For example, F (x, y, z) = 2x3 − 5xyz + 7yz 2 is homogeneous of degree 3. If a polynomial F is homogeneous of degree n then F (λx, λy, λz) = λn F (x, y, z) for all λ ∈ K. It follows that if F is homogeneous of some degree, and (x1 , y1 , z1 ) ∼ (x2 , y2 , z2 ), then F (x1 , y1 , z1 ) = 0 if and only if F (x2 , y2 , z2 ) = 0. Therefore, a zero of F in P2K does not depend on the choice of representative for the equivalence class, so the set of zeros of F in P2K is well defined. If F (x, y, z) is an arbitrary polynomial in x, y, z, then we cannot talk about a point in P2K where F (x, y, z) = 0 since this depends on the representative (x, y, z) of the equivalence class. For example, let F (x, y, z) = x2 + 2y − 3z. Then F (1, 1, 1) = 0, so we might be tempted to say that F vanishes at (1 : 1 : 1). But F (2, 2, 2) = 2 and (1 : 1 : 1) = (2 : 2 : 2). To avoid this problem, we need to work with homogeneous polynomials. If f (x, y) is a polynomial in x and y, then we can make it homogeneous by inserting appropriate powers of z. For example, if f (x, y) = y 2 − x3 − Ax − B, then we obtain the homogeneous polynomial F (x, y, z) = y 2 z − x3 − Axz 2 − Bz 3 . If F is homogeneous of degree n then x y F (x, y, z) = z n f ( , ) z z and f (x, y) = F (x, y, 1). We can now see what it means for two parallel lines to meet at infinity. Let y = mx + b1 ,

y = mx + b2

be two nonvertical parallel lines with b1 = b2 . They have the homogeneous forms y = mx + b2 z. y = mx + b1 z,

20

CHAPTER 2

THE BASIC THEORY

(The preceding discussion considered only equations of the form f (x, y) = 0 and F (x, y, z) = 0; however, there is nothing wrong with rearranging these equations to the form “homogeneous of degree n = homogeneous of degree n.”) When we solve the simultaneous equations to find their intersection, we obtain z = 0 and y = mx. Since we cannot have all of x, y, z being 0, we must have x
= 0. Therefore, we can rescale by dividing by x and find that the intersection of the two lines is (x : mx : 0) = (1 : m : 0). Similarly, if x = c1 and x = c2 are two vertical lines, they intersect in the point (0 : 1 : 0). This is one of the points at infinity in P2K . Now let’s look at the elliptic curve E given by y 2 = x3 + Ax + B. Its homogeneous form is y 2 z = x3 + Axz 2 + Bz 3 . The points (x, y) on the original curve correspond to the points (x : y : 1) in the projective version. To see what points on E lie at infinity, set z = 0 and obtain 0 = x3 . Therefore x = 0, and y can be any nonzero number (recall that (0 : 0 : 0) is not allowed). Rescale by y to find that (0 : y : 0) = (0 : 1 : 0) is the only point at infinity on E. As we saw above, (0 : 1 : 0) lies on every vertical line, so every vertical line intersects E at this point at infinity. Moreover, since (0 : 1 : 0) = (0 : −1 : 0), the “top” and the “bottom” of the y-axis are the same. There are situations where using projective coordinates speeds up computations on elliptic curves (see Section 2.6). However, in this book we almost always work in affine (nonprojective) coordinates and treat the point at infinity as a special case when needed. An exception is the proof of associativity of the group law given in Section 2.4, where it will be convenient to have the point at infinity treated like any other point (x : y : z).

2.4 Proof of Associativity In this section, we prove the associativity of addition of points on an elliptic curve. The reader who is willing to believe this result may skip this section without missing anything that is needed in the rest of the book. However, as corollaries of the proof, we will obtain two results, namely the theorems of Pappus and Pascal, that are not about elliptic curves but which are interesting in their own right. The basic idea is the following. Start with an elliptic curve E and points P, Q, R on E. To compute − ((P + Q) + R) we need to form the lines
1 = P Q, m2 = ∞, P + Q, and
3 = R, P + Q, and see where they intersect E. To compute − ((P + (Q + R)) we need to form the lines m1 = QR,
2 = ∞, Q + R, and m3 = P, Q + R. It is easy to see that the points Pij =
i ∩ mj

SECTION 2.4 PROOF OF ASSOCIATIVITY

21

lie on E, except possibly for P33 . We show in Theorem 2.6 that having the eight points Pij
= P33 on E forces P33 to be on E. Since
3 intersects E at the points R, P + Q, − ((P + Q) + R), we must have − ((P + Q) + R) = P33 . Similarly, − (P + (Q + R)) = P33 , so − ((P + Q) + R) = − (P + (Q + R)) , which implies the desired associativity. There are three main technicalities that must be treated. First, some of the points Pij could be at infinity, so we need to use projective coordinates. Second, a line could be tangent to E, which means that two Pij could be equal. Therefore, we need a careful definition of the order to which a line intersects a curve. Third, two of the lines could be equal. Dealing with these technicalities takes up most of our attention during the proof. First, we need to discuss lines in P2K . The standard way to describe a line is by a linear equation: ax + by + cz = 0. Sometimes it is useful to give a parametric description: x = a1 u + b1 v y = a2 u + b2 v

(2.2)

z = a3 u + b3 v where u, v run through K, and at least one of u, v is nonzero. For example, if a
= 0, the line ax + by + cz = 0 can be described by x = −(b/a)u − (c/a)v, y = u, z = v. Suppose all the vectors (ai , bi ) are multiples of each other, say (ai , bi ) = λi (a1 , b1 ). Then (x, y, z) = x(1, λ2 , λ3 ) for all u, v such that x
= 0. So we get a point, rather than a line, in projective space. Therefore, we need a condition on the coefficients a1 , . . . , b3 that ensure that we actually get a line. It is not hard to see that we must require the matrix ⎛ ⎞ a1 b1 ⎝ a2 b2 ⎠ a3 b3 to have rank 2 (cf. Exercise 2.12). If (u1 , v1 ) = λ(u2 , v2 ) for some λ ∈ K × , then (u1 , v1 ) and (u2 , v2 ) yield equivalent triples (x, y, z). Therefore, we can regard (u, v) as running through points (u : v) in 1-dimensional projective space P1K . Consequently, a line corresponds to a copy of the projective line P1K embedded in the projective plane.

22

CHAPTER 2

THE BASIC THEORY

We need to quantify the order to which a line intersects a curve at a point. The following gets us started. LEMMA 2.2 Let G(u, v) be a nonzero homogeneous polynomial and let (u0 : v0 ) ∈ P1K . Then there exists an integer k ≥ 0 and a polynomial H(u, v) with H(u0 , v0 )
= 0 such that G(u, v) = (v0 u − u0 v)k H(u, v). PROOF Suppose v0
= 0. Let m be the degree of G. Let g(u) = G(u, v0 ). By factoring out as large a power of u − u0 as possible, we can write g(u) = (u − u0 )k h(u) for some k and for some polynomial h of degree m − k with h(u0 )
= 0. Let H(u, v) = (v m−k /v0m )h(uv0 /v), so H(u, v) is homogeneous of degree m − k. Then  m   uv  v uv0  v m−k 0 k = m (v0 u − u0 v) h G(u, v) = g v0 v v0 v =(v0 u − u0 v)k H(u, v), as desired. If v0 = 0, then u0
= 0. Reversing the roles of u and v yields the proof in this case. Let f (x, y) = 0 (where f is a polynomial) describe a curve C in the affine plane and let x = a1 t + b1 , y = a2 t + b2 be a line L written in terms of the parameter t. Let f˜(t) = f (a1 t + b1 , a2 t + b2 ). Then L intersects C when t = t0 if f˜(t0 ) = 0. If (t − t0 )2 divides f˜(t), then L is tangent to C (if the point corresponding to t0 is nonsingular. See Lemma 2.5). More generally, we say that L intersects C to order n at the point (x, y) corresponding to t = t0 if (t − t0 )n is the highest power of (t − t0 ) that divides f˜(t). The homogeneous version of the above is the following. Let F (x, y, z) be a homogeneous polynomial, so F = 0 describes a curve C in P2K . Let L be a line given parametrically by (2.2) and let F˜ (u, v) = F (a1 u + b1 v, a2 u + b2 v, a3 u + b3 v). We say that L intersects C to order n at the point P = (x0 : y0 : z0 ) corresponding to (u : v) = (u0 : v0 ) if (v0 u − u0 v)n is the highest power of (v0 u − u0 v) dividing F˜ (u, v). We denote this by ordL,P (F ) = n.

SECTION 2.4 PROOF OF ASSOCIATIVITY

23

If F˜ is identically 0, then we let ordL,P (F ) = ∞. It is not hard to show that ordL,P (F ) is independent of the choice of parameterization of the line L. Note that v = v0 = 1 corresponds to the nonhomogeneous situation above, and the definitions coincide (at least when z
= 0). The advantage of the homogeneous formulation is that it allows us to treat the points at infinity along with the finite points in a uniform manner. LEMMA 2.3 Let L1 and L2 be lines intersecting in a point P , and, for i = 1, 2, let Li (x, y, z) be a linear polynomial defining Li . Then ordL1 ,P (L2 ) = 1 unless L1 (x, y, z) = αL2 (x, y, z) for some constant α, in which case ordL1 ,P (L2 ) = ∞. PROOF When we substitute the parameterization for L1 into L2 (x, y, z), ˜ 2 , which is a linear expression in u, v. Let P correspond to (u0 : we obtain L ˜ 2 (u0 , v0 ) = 0, it follows that L ˜ 2 (u, v) = β(v0 u − u0 v) for some v0 ). Since L constant β. If β
= 0, then ordL1 ,P (L2 ) = 1. If β = 0, then all points on L1 lie on L2 . Since two points in P2K determine a line, and L1 has at least three points (P1K always contains the points (1 : 0), (0 : 1), (1 : 1)), it follows that L1 and L2 are the same line. Therefore L1 (x, y, z) is proportional to L2 (x, y, z). Usually, a line that intersects a curve to order at least 2 is tangent to the curve. However, consider the curve C defined by F (x, y, z) = y 2 z − x3 = 0. Let x = au,

y = bu,

z=v

be a line through the point P = (0 : 0 : 1). Note that P corresponds to (u : v) = (0 : 1). We have F˜ (u, v) = u2 (b2 v − a3 u), so every line through P intersects C to order at least 2. The line with b = 0, which is the best choice for the tangent at P , intersects C to order 3. The affine part of C is the curve y 2 = x3 , which is pictured in Figure 2.7. The point (0, 0) is a singularity of the curve, which is why the intersections at P have higher orders than might be expected. This is a situation we usually want to avoid. DEFINITION 2.4 A curve C in P2K defined by F (x, y, z) = 0 is said to be nonsingular at a point P if at least one of the partial derivatives Fx , Fy , Fz is nonzero at P . For example, consider an elliptic curve defined by F (x, y, z) = y 2 z − x3 − Axz 2 − Bz 3 = 0, and assume the characteristic of our field K is not 2 or 3.

24

CHAPTER 2

THE BASIC THEORY

We have Fx = −3x2 − Az 2 ,

Fy = 2yz,

Fz = y 2 − 2Axz − 3Bz 2 .

Suppose P = (x : y : z) is a singular point. If z = 0, then Fx = 0 implies x = 0 and Fz = 0 implies y = 0, so P = (0 : 0 : 0), which is impossible. Therefore z
= 0, so we may take z = 1 (and therefore ignore it). If Fy = 0, then y = 0. Since (x : y : 1) lies on the curve, x must satisfy x3 + Ax + B = 0. If Fx = −(3x2 + A) = 0, then x is a root of a polynomial and a root of its derivative, hence a double root. Since we assumed that the cubic polynomial has no multiple roots, we have a contradiction. Therefore an elliptic curve has no singular points. Note that this is true even if we are considering points with coordinates in K (= algebraic closure of K). In general, by a nonsingular curve we mean a curve with no singular points in K. If we allow the cubic polynomial to have a multiple root x, then it is easy to see that the curve has a singularity at (x : 0 : 1). This case will be discussed in Section 2.10. If P is a nonsingular point of a curve F (x, y, z) = 0, then the tangent line at P is Fx (P )x + Fy (P )y + Fz (P )z = 0. For example, if F (x, y, z) = y 2 z − x3 − Axz 2 − Bz 3 = 0, then the tangent line at (x0 : y0 : z0 ) is (−3x20 − Az02 )x + 2y0 z0 y + (y02 − 2Ax0 z0 − 3Bz02 )z = 0. If we set z0 = z = 1, then we obtain (−3x20 − A)x + 2y0 y + (y02 − 2Ax0 − 3B) = 0. Using the fact that y02 = x30 + Ax0 + B, we can rewrite this as (−3x20 − A)(x − x0 ) + 2y0 (y − y0 ) = 0. This is the tangent line in affine coordinates that we used in obtaining the formulas for adding a point to itself on an elliptic curve. Now let’s look at the point at infinity on this curve. We have (x0 : y0 : z0 ) = (0 : 1 : 0). The tangent line is given by 0x + 0y + z = 0, which is the “line at infinity” in P2K . It intersects the elliptic curve only in the point (0 : 1 : 0). This corresponds to the fact that ∞ + ∞ = ∞ on an elliptic curve. LEMMA 2.5 Let F (x, y, z) = 0 define a curve C. If P is a nonsingular point of C, then there is exactly one line in P2K that intersects C to order at least 2, and it is the tangent to C at P . PROOF Let L be a line intersecting C to order k ≥ 1. Parameterize L by (2.2) and substitute into F . This yields F˜ (u, v). Let (u0 : v0 ) correspond

SECTION 2.4 PROOF OF ASSOCIATIVITY

25

to P . Then F˜ = (v0 u − u0 v)k H(u, v) for some H(u, v) with H(u0 , v0 )
= 0. Therefore, F˜u (u, v) = kv0 (v0 u − u0 v)k−1 H(u, v) + (v0 u − u0 v)k Hu (u, v) and F˜v (u, v) = −ku0 (v0 u − u0 v)k−1 H(u, v) + (v0 u − u0 v)k Hv (u, v). It follows that k ≥ 2 if and only if F˜u (u0 , v0 ) = F˜v (u0 , v0 ) = 0. Suppose k ≥ 2. The chain rule yields F˜u = a1 Fx + a2 Fy + a3 Fz = 0,

F˜v = b1 Fx + b2 Fy + b3 Fz = 0

(2.3)

at P . Recall that since the parameterization (2.2) yields a line, the vectors (a1 , a2 , a3 ) and (b1 , b2 , b3 ) must be linearly independent. Suppose L
is another line that intersects C to order at least 2. Then we obtain another set of equations a
1 Fx + a
2 Fy + a
3 Fz = 0,

b
1 Fx + b
2 Fy + b
3 Fz = 0

at P . If the vectors a
= (a
1 , a
2 , a
3 ) and b
= (b
1 , b
2 , b
3 ) span the same plane in 3 K as a = (a1 , a2 , a3 ) and b = (b1 , b2 , b3 ), then a
= αa + βb, b
= γa + δb   αβ for some invertible matrix . Therefore, γ δ ua
+ vb
= (uα + vγ)a + (uβ + vδ)b = u1 a + v1 b for a new choice of parameters u1 , v1 . This means that L and L
are the same line. If L and L
are different lines, then a, b and a
, b
span different planes, so the vectors a, b, a
, b
must span all of K 3 . Since (Fx , Fy , Fz ) has dot product 0 with these vectors, it must be the 0 vector. This means that P is a singular point, contrary to our assumption. Finally, we need to show that the tangent line intersects the curve to order at least 2. Suppose, for example, that Fx
= 0 at P . The cases where Fy
= 0 and Fz
= 0 are similar. The tangent line can be given the parameterization x = −(Fy /Fx )u − (Fz /Fx )v,

y = u,

z = v,

so a1 = −Fy /Fx , b1 = −Fz /Fx , a2 = 1, b2 = 0, a3 = 0, b3 = 1 in the notation of (2.2). Substitute into (2.3) to obtain F˜u = (−Fy /Fx )Fx + Fy = 0,

F˜v = (−Fz /Fx )Fx + Fz = 0.

26

CHAPTER 2

THE BASIC THEORY

By the discussion at the beginning of the proof, this means that the tangent line intersects the curve to order k ≥ 2. The associativity of elliptic curve addition will follow easily from the next result. The proof can be simplified if the points Pij are assumed to be distinct. The cases where points are equal correspond to situations where tangent lines are used in the definition of the group law. Correspondingly, this is where it is more difficult to verify the associativity by direct calculation with the formulas for the group law. THEOREM 2.6 Let C(x, y, z) be a homogeneous cubic polynomial, and let C be the curve in P2K described by C(x, y, z) = 0. Let
1 ,
2 ,
3 and m1 , m2 , m3 be lines in P2K such that
i
= mj for all i, j. Let Pij be the point of intersection of
i and mj . Suppose Pij is a nonsingular point on the curve C for all (i, j)
= (3, 3). In addition, we require that if, for some i, there are k ≥ 2 of the points Pi1 , Pi2 , Pi3 equal to the same point, then
i intersects C to order at least k at this point. Also, if, for some j, there are k ≥ 2 of the points P1j , P2j , P3j equal to the same point, then mj intersects C to order at least k at this point. Then P33 also lies on the curve C. PROOF Express
1 in the parametric form (2.2). Then C(x, y, z) becomes ˜ v). The line
1 passes through P11 , P12 , P13 . Let (u1 : v1 ), (u2 : v2 ), (u3 : C(u, v3 ) be the parameters on
1 for these points. Since these points lie on C, we ˜ i , vi ) = 0 for i = 1, 2, 3. have C(u Let mj have equation mj (x, y, z) = aj x + bj y + cj z = 0. Substituting ˜ j (u, v). Since Pij lies on mj , we have the parameterization for
1 yields m ˜ j yield the m ˜ j (uj , vj ) = 0 for j = 1, 2, 3. Since
1
= mj and since the zeros of m ˜ j (u, v) vanishes only at P1j , so the intersections of
1 and mj , the function m ˜ 1 (u, v)m ˜ 2 (u, v)m ˜ 3 (u, v) linear form m ˜ j is nonzero. Therefore, the product m is a nonzero cubic homogeneous polynomial. We need to relate this product ˜ to C. LEMMA 2.7 Let R(u, v) and S(u, v) be homogeneous polynomials of degree 3, with S(u, v) not identically 0, and suppose there are three points (ui : vi ), i = 1, 2, 3, at which R and S vanish. Moreover, if k of these points are equal to the same point, we require that R and S vanish to order at least k at this point (that is, (vi u − ui v)k divides R and S). Then there is a constant α ∈ K such that R = αS. PROOF First, observe that a nonzero cubic homogeneous polynomial S(u, v) can have at most 3 zeros (u : v) in P1K (counting multiplicities).

SECTION 2.4 PROOF OF ASSOCIATIVITY

27

This can be proved as follows. Factor off the highest possible power of v, say v k . Then S(u, v) vanishes to order k at (1 : 0), and S(u, v) = v k S0 (u, v) with S0 (1, 0)
= 0. Since S0 (u, 1) is a polynomial of degree 3 − k, the polynomial S0 (u, 1) can have at most 3 − k zeros, counting multiplicities (it has exactly 3 − k if K is algebraically closed). All points (u : v)
= (1 : 0) can be written in the form (u : 1), so S0 (u, v) has at most 3 − k zeros. Therefore, S(u, v) has at most k + (3 − k) = 3 zeros in P1K . It follows easily that the condition that S(u, v) vanish to order at least k could be replaced by the condition that S(u, v) vanish to order exactly k. However, it is easier to check “at least” than “exactly.” Since we are allowing the possibility that R(u, v) is identically 0, this remark does not apply to R. Let (u0 , : v0 ) be any point in P1K not equal to any of the (ui : vi ). (Technical point: If K has only two elements, then P1K has only three elements. In this case, enlarge K to GF (4). The α we obtain is forced to be in K since it is the ratio of a coefficient of R and a coefficient of S, both of which are in K.) Since S can have at most three zeros, S(u0 , v0 )
= 0. Let α = R(u0 , v0 )/S(u0 , v0 ). Then R(u, v) − αS(u, v) is a cubic homogeneous polynomial that vanishes at the four points (ui : vi ), i = 0, 1, 2, 3. Therefore R − αS must be identically zero. Returning to the proof of the theorem, we note that C˜ and m ˜ 1m ˜ 2m ˜ 3 vanish at the points (ui : vi ), i = 1, 2, 3. Moreover, if k of the points P1j are the same point, then k of the linear functions vanish at this point, so the product ˜ 2 (u, v)m ˜ 3 (u, v) vanishes to order at least k. By assumption, C˜ m ˜ 1 (u, v)m vanishes to order at least k in this situation. By the lemma, there exists a constant α such that C˜ = αm ˜ 1m ˜ 2m ˜ 3. Let C1 (x, y, z) = C(x, y, z) − αm1 (x, y, z)m2 (x, y, z)m3 (x, y, z). The line
1 can be described by a linear equation
1 (x, y, z) = ax+by +cz = 0. At least one coefficient is nonzero, so let’s assume a
= 0. The other cases are similar. The parameterization of the line
1 can be taken to be x = −(b/a)u − (c/a)v,

y = u,

z = v.

(2.4)

Then C˜1 (u, v) = C1 (−(b/a)u − (c/a)v, u, v). Write C1 (x, y, z) as a polynomial in x with polynomials in y, z as coefficients. Writing n

xn = (1/an ) ((ax + by + cz) − (by + cz)) = (1/an ) ((ax + by + cz)n + · · · ) , we can rearrange C1 (x, y, z) to be a polynomial in ax + by + cz whose coefficients are polynomials in y, z: C1 (x, y, z) = a3 (y, z)(ax + by + cz)3 + · · · + a0 (y, z).

(2.5)

28

CHAPTER 2

THE BASIC THEORY

Substituting (2.4) into (2.5) yields 0 = C˜1 (u, v) = a0 (u, v), since ax + by + cz vanishes identically when x, y, z are written in terms of u, v. Therefore a0 (y, z) = a0 (u, v) is the zero polynomial. It follows from (2.5) that C1 (x, y, z) is a multiple of
1 (x, y, z) = ax + by + cz. Similarly, there exists a constant β such that C(x, y, z) − β
1
2
3 is a multiple of m1 . Let D(x, y, z) = C − αm1 m2 m3 − β
1
2
3 . Then D(x, y, z) is a multiple of
1 and a multiple of m1 . LEMMA 2.8 D(x, y, z) is a multiple of
1 (x, y, z)m1 (x, y, z). PROOF Write D = m1 D1 . We need to show that
1 divides D1 . We could quote some result about unique factorization, but instead we proceed as follows. Parameterize the line
1 via (2.4) (again, we are considering the ˜ 1. ˜ =m ˜ 1D case a
= 0). Substituting this into the relation D = m1 D1 yields D ˜ ˜ 1
= 0. Therefore Since
1 divides D, we have D = 0. Since m1
=
1 , we have m ˜ 1 (u, v) is the zero polynomial. As above, this implies that D1 (x, y, z) is a D multiple of
1 , as desired. By the lemma, D(x, y, z) =
1 m1
, where
(x, y, z) is linear. By assumption, C = 0 at P22 , P23 , P32 . Also,
1
2
3 and m1 m2 m3 vanish at these points. Therefore, D(x, y, z) vanishes at these points. Our goal is to show that D is identically 0. LEMMA 2.9
(P22 ) =
(P23 ) =
(P32 ) = 0. PROOF First suppose that P13
= P23 . If
1 (P23 ) = 0, then P23 is on the line
1 and also on
2 and m3 by definition. Therefore, P23 equals the intersection P13 of
1 and m3 . Since P23 and P13 are for the moment assumed to be distinct, this is a contradiction. Therefore
1 (P23 )
= 0. Since D(P23 ) = 0, it follows that m1 (P23 )
(P23 ) = 0. Suppose now that P13 = P23 . Then, by the assumption in the theorem, m3 is tangent to C at P23 , so ordm3 ,P23 (C) ≥ 2. Since P13 = P23 and P23 lies on m3 , we have ordm3 ,P23 (
1 ) = ordm3 ,P23 (
2 ) = 1. Therefore, ordm3 ,P23 (α
1
2
3 ) ≥ 2. Also, ordm3 ,P23 (βm1 m2 m3 ) = ∞. Therefore,

SECTION 2.4 PROOF OF ASSOCIATIVITY

29

ordm3 ,P23 (D) ≥ 2, since D is a sum of terms, each of which vanishes to order at least 2. But ordm3 ,P23 (
1 ) = 1, so we have ordm3 ,P23 (m1
) = ordm3 ,P23 (D) − ordm3 ,P23 (
1 ) ≥ 1. Therefore m1 (P23 )
(P23 ) = 0. In both cases, we have m1 (P23 )
(P23 ) = 0. If m1 (P23 )
= 0, then
(P23 ) = 0, as desired. If m1 (P23 ) = 0, then P23 lies on m1 , and also on
2 and m3 , by definition. Therefore, P23 = P21 , since
2 and m1 intersect in a unique point. By assumption,
2 is therefore tangent to C at P23 . Therefore, ord
2 ,P23 (C) ≥ 2. As above, ord
2 ,P23 (D) ≥ 2, so ord
2 ,P23 (
1
) ≥ 1. If in this case we have
1 (P23 ) = 0, then P23 lies on
1 ,
2 , m3 . Therefore P13 = P23 . By assumption, the line m3 is tangent to C at P23 . Since P23 is a nonsingular point of C, Lemma 2.5 says that
2 = m3 , contrary to hypothesis. Therefore,
1 (P23 )
= 0, so
(P23 ) = 0. Similarly,
(P22 ) =
(P32 ) = 0. If
(x, y, z) is identically 0, then D is identically 0. Therefore, assume that
(x, y, z) is not zero and hence it defines a line
. First suppose that P23 , P22 , P32 are distinct. Then
and
2 are lines through P23 and P22 . Therefore
=
2 . Similarly,
= m2 . Therefore
2 = m2 , contradiction. Now suppose that P32 = P22 . Then m2 is tangent to C at P22 . As before, ordm2 ,P22 (
1 m1
) ≥ 2. We want to show that this forces
to be the same line as m2 . If m1 (P22 ) = 0, then P22 lies on m1 , m2 ,
2 . Therefore, P21 = P22 . This means that
2 is tangent to C at P22 . By Lemma 2.5,
2 = m2 , contradiction. Therefore, m1 (P22 )
= 0. If
1 (P22 )
= 0, then ordm2 ,P22 (
) ≥ 2. This means that
is the same line as m2 . If
1 (P22 ) = 0, then P22 = P32 lies on
1 ,
2 ,
3 , m2 , so P12 = P22 = P32 . Therefore ordm2 ,P22 (C) ≥ 3. By the reasoning above, we now have ordm2 ,P22 (
1 m1
) ≥ 3. Since we have proved that m1 (P22 )
= 0, we have ordm2 ,P22 (
) ≥ 2. This means that
is the same line as m2 . So now we have proved, under the assumption that P32 = P22 , that
is the same line as m2 . By Lemma 2.9, P23 lies on
, and therefore on m2 . It also lies on
2 and m3 . Therefore, P22 = P23 . This means that
2 is tangent to C at P22 . Since P32 = P22 means that m2 is also tangent to C at P22 , we have
2 = m2 , contradiction. Therefore, P32
= P22 (under the assumption that

= 0).

30

CHAPTER 2

THE BASIC THEORY

Similarly, P23
= P22 . Finally, suppose P23 = P32 . Then P23 lies on
2 ,
3 , m2 , m3 . This forces P22 = P32 , which we have just shown is impossible. Therefore, all possibilities lead to contradictions. It follows that
(x, y, z) must be identically 0. Therefore D = 0, so C = α
1
2
3 + βm1 m2 m3 . Since
3 and m3 vanish at P33 , we have C(P33 ) = 0, as desired. This completes the proof of Theorem 2.6. REMARK 2.10

Note that we proved the stronger result that C = α
1
2
3 + βm1 m2 m3

for some constants α, β. Since there are 10 coefficients in an arbitrary homogeneous cubic polynomial in three variables and we have required that C vanish at eight points (when the Pij are distinct), it is not surprising that the set of possible polynomials is a two-parameter family. When the Pij are not distinct, the tangency conditions add enough restrictions that we still obtain a two-parameter family. We can now prove the associativity of addition for an elliptic curve. Let P, Q, R be points on E. Define the lines
1 = P Q, m1 = QR,


2 = ∞, Q + R, m2 = ∞, P + Q,


3 = R, P + Q m3 = P, Q + R.

We have the following intersections:

m1 m2 m3


1 Q −(P + Q) P


2
3 −(Q + R) R ∞ P +Q Q+R X

Assume for the moment that the hypotheses of the theorem are satisfied. Then all the points in the table, including X, lie on E. The line
3 has three points of intersection with E, namely R, P + Q, and X. By the definition of addition, X = −((P + Q) + R). Similarly, m3 intersects C in 3 points, which means that X = −(P + (Q + R)). Therefore, after reflecting across the x-axis, we obtain (P + Q) + R = P + (Q + R), as desired. It remains to verify the hypotheses of the theorem, namely that the orders of intersection are correct and that the lines
i are distinct from the lines mj . First we want to dispense with cases where ∞ occurs. The problem is that we treated ∞ as a special case in the definition of the group law. However,

SECTION 2.4 PROOF OF ASSOCIATIVITY

31

as pointed out earlier, the tangent line at ∞ intersects the curve only at ∞ (and intersects to order 3 at ∞). It follows that if two of the entries in a row or column of the above table of intersections are equal to ∞, then so is the third, and the line intersects the curve to order 3. Therefore, this hypothesis is satisfied. It is also possible to treat directly the cases where some of the intersection points P, Q, R, ±(P + Q), ±(Q + R) are ∞. In the cases where at least one of P, Q, R is ∞, associativity is trivial. If P + Q = ∞, then (P + Q) + R = ∞ + R = R. On the other hand, the sum Q + R is computed by first drawing the line L through Q and R, which intersects E in −(Q + R). Since P + Q = ∞, the reflection of Q across the x-axis is P . Therefore, the reflection L
of L passes through P , −R, and Q + R. The sum P + (Q + R) is found by drawing the line through P and Q + R, which is L
. We have just observed that the third point of intersection of L
with E is −R. Reflecting yields P + (Q + R) = R, so associativity holds in this case. Similarly, associativity holds when Q + R = ∞. Finally, we need to consider what happens if some line
i equals some line mj , since then Theorem 2.6 does not apply. First, observe that if P, Q, R are collinear, then associativity is easily verified directly. Second, suppose that P, Q, Q + R are collinear. Then P + (Q + R) = −Q. Also, P + Q = −(Q + R), so (P + Q) + R = −(Q + R) + R. The second equation of the following shows that associativity holds in this case. LEMMA 2.11 Let P1 , P2 be points on an elliptic curve. Then (P1 + P2 ) − P2 = P1 and −(P1 + P2 ) + P2 = −P1 . PROOF The two relations are reflections of each other, so it suffices to prove the second one. The line L through P1 and P2 intersects the elliptic curve in −(P1 + P2 ). Regarding L as the line through −(P1 + P2 ) and P2 yields −(P1 + P2 ) + P2 = −P1 , as claimed. Suppose that
i = mj for some i, j. We consider the various cases. By the above discussion, we may assume that all points in the table of intersections are finite, except for ∞ and possibly X. Note that each
i and each mj meets E in three points (counting multiplicity), one of which is Pij . If the two lines coincide, then the other two points must coincide in some order. 1.
1 = m1 : Then P, Q, R are collinear, and associativity follows. 2.
1 = m2 : In this case, P, Q, ∞ are collinear, so P +Q = ∞; associativity follows by the direct calculation made above.

32

CHAPTER 2

THE BASIC THEORY

3.
2 = m1 : Similar to the previous case. 4.
1 = m3 : Then P, Q, Q+R are collinear; associativity was proved above. 5.
3 = m1 : Similar to the previous case. 6.
2 = m2 : Then P + Q must be ±(Q + R). If P + Q = Q + R, then commutativity plus the above lemma yields P = (P + Q) − Q = (Q + R) − Q = R. Therefore, (P + Q) + R = R + (P + Q) = P + (P + Q) = P + (R + Q) = P + (Q + R). If P + Q = −(Q + R), then (P + Q) + R = −(Q + R) + R = −Q and P + (Q + R) = P − (P + Q) = −Q, so associativity holds. 7.
2 = m3 : In this case, the line m3 through P and (Q + R) intersects E in ∞, so P = −(Q + R). Since −(Q + R), Q, R are collinear, we have that P, Q, R are collinear and associativity holds. 8.
3 = m2 : Similar to the previous case. 9.
3 = m3 : Since
3 cannot intersect E in 4 points (counting multiplicities), it is easy to see that P = R or P = P + Q or Q + R = P + Q or Q + R = R. The case P = R was treated in the case
2 = m2 . Assume P = P + Q. Adding −P and applying Lemma 2.11 yields ∞ = Q, in which case associativity immediately follows. The case Q + R = R is similar. If Q + R = P + Q, then adding −Q and applying Lemma 2.11 yields P = R, which we have already treated. If
i
= mj for all i, j, then the hypotheses of the theorem are satisfied, so the addition is associative, as proved above. This completes the proof of the associativity of elliptic curve addition. REMARK 2.12 Note that for most of the proof, we did not use the Weierstrass equation for the elliptic curve. In fact, any nonsingular cubic curve would suffice. The identity O for the group law needs to be a point whose tangent line intersects to order 3. Three points sum to 0 if they lie on a straight line. Negation of a point P is accomplished by taking the line through O and P . The third point of intersection is then −P . Associativity of this group law follows just as in the Weierstrass case.

SECTION 2.4 PROOF OF ASSOCIATIVITY

33

2.4.1 The Theorems of Pappus and Pascal Theorem 2.6 has two other nice applications outside the realm of elliptic curves. THEOREM 2.13 (Pascal’s Theorem) Let ABCDEF be a hexagon inscribed in a conic section (ellipse, parabola, or hyperbola), where A, B, C, D, E, F are distinct points in the affine plane. Let X be the intersection of AB and DE, let Y be the intersection of BC and EF , and let Z be the intersection of CD and F A. Then X, Y, Z are collinear (see Figure 2.4).

Figure 2.4

Pascal’s Theorem

REMARK 2.14 (1) A conic is given by an equation q(x, y) = ax2 + bxy + cy 2 + dx + ey + f = 0 with at least one of a, b, c nonzero. Usually, it is assumed that b2 −4ac
= 0; otherwise, the conic degenerates into a product of two linear factors, and the graph is the union of two lines. The present theorem holds even in this case, as long as the points A, C, E lie on one of the lines, B, D, F lie on the other, and none is the intersection of the two lines. (2) Possibly AB and DE are parallel, for example. Then X is an infinite point in P2K . (3) Note that X, Y, Z will always be distinct. This is easily seen as follows: First observe that X, Y, Z cannot lie on the conic since a line can intersect

34

CHAPTER 2

THE BASIC THEORY

the conic in at most two points; the points A, B, C, D, E, F are assumed to be distinct and therefore exhaust all possible intersections. If X = Y , then AB and BC meet in both B and Y , and therefore the lines are equal. But this means that A = C, contradiction. Similarly, X
= Z and Y
= Z. PROOF

Define the following lines:


1 = EF ,
2 = AB,
3 = CD, m1 = BC, m2 = DE, m3 = F A. We have the following table of intersections:

m1 m2 m3


1 Y E F


2 B X A


3 C D Z

Let q(x, y) = 0 be the affine equation of the conic. In order to apply Theorem 2.6, we change q(x, y) to its homogeneous form Q(x, y, z). Let
(x, y, z) be a linear form giving the line through X and Y . Then C(x, y, z) = Q(x, y, z)
(x, y, z) is a homogeneous cubic polynomial. The curve C = 0 contains all of the points in the table, with the possible exception of Z. It is easily checked that the only singular points of C are the points of intersection of Q = 0 and
= 0, and the intersection of the two lines comprising Q = 0 in the case of a degenerate conic. Since none of these points occur among the points we are considering, the hypotheses of Theorem 2.6 are satisfied. Therefore, C(Z) = 0. Since Q(Z)
= 0, we must have
(Z) = 0, so Z lies on the line through X and Y . Therefore, X, Y , Z are collinear. This completes the proof of Pascal’s theorem. COROLLARY 2.15 (Pappus’s Theorem) Let
and m be two distinct lines in the plane. Let A, B, C be distinct points of
and let A
, B
, C
be distinct points of m. Assume that none of these points is the intersection of
and m. Let X be the intersection of AB
and A
B, let Y be the intersection of B
C and BC
, and let Z be the intersection of CA
and C
A. Then X, Y, Z are collinear (see Figure 2.5).

PROOF This is the case of a degenerate conic in Theorem 2.13. The “hexagon” is AB
CA
BC
.

SECTION 2.5 OTHER EQUATIONS FOR ELLIPTIC CURVES

B

35

C

A

A’

B’

C’

Figure 2.5

Pappus’s Theorem

2.5 Other Equations for Elliptic Curves In this book, we are mainly using the Weierstrass equation for an elliptic curve. However, elliptic curves arise in various other guises, and it is worthwhile to discuss these briefly.

2.5.1 Legendre Equation This is a variant on the Weierstrass equation. Its advantage is that it allows us to express all elliptic curves over an algebraically closed field (of characteristic not 2) in terms of one parameter. PROPOSITION 2.16 Let K be a field of characteristic not 2 and let y 2 = x3 + ax2 + bx + c = (x − e1 )(x − e2 )(x − e3 ) be an elliptic curve E over K with e1 , e2 , e3 ∈ K. Let x1 = (e2 − e1 )−1 (x − e1 ), Then λ
= 0, 1 and

PROOF

y1 = (e2 − e1 )−3/2 y,

y12 = x1 (x1 − 1)(x1 − λ).

This is a straightforward calculation.

λ=

e3 − e1 . e2 − e1

36

CHAPTER 2

THE BASIC THEORY

The parameter λ for E is not unique. In fact, each of 1 λ λ−1 1 , , } {λ, , 1 − λ, λ 1−λ λ−1 λ yields a Legendre equation for E. They correspond to the six permutations of the roots e1 , e2 , e3 . It can be shown that these are the only values of λ corresponding to E, so the map λ → E is six-to-one, except where λ = −1, 1/2, 2, or λ2 − λ + 1 = 0 (in these situations, the above set collapses; see Exercise 2.13).

2.5.2 Cubic Equations It is possible to start with a cubic equation C(x, y) = 0, over a field K of characteristic not 2 or 3, that has a point with x, y ∈ K and find an invertible change of variables that transforms the equation to Weierstrass form (although possibly 4A3 + 27B 2 = 0). The procedure is fairly complicated (see [25], [28], or [84]), so we restrict our attention to a specific example. Consider the cubic Fermat equation x3 + y 3 + z 3 = 0. The fact that this equation has no rational solutions with xyz
= 0 was conjectured by the Arabs in the 900s and represents a special case of Fermat’s Last Theorem, which asserts that the sum of two nonzero nth powers of integers cannot be a nonzero nth power when n ≥ 3. The first proof in the case n = 3 was probably due to Fermat. We’ll discuss some of the ideas for the proof in the general case in Chapter 15. Suppose that x3 + y 3 + z 3 = 0 and xyz
= 0. Since x3 + y 3 = (x + y)(x2 − xy + y 2 ), we must have x + y
= 0. Write x = u + v, z

y = u − v. z

Then (u + v)3 + (u − v)3 + 1 = 0, so 2u3 + 6uv 2 + 1 = 0. Divide by u3 (since x + y
= 0, we have u
= 0) and rearrange to obtain 6(v/u)2 = −(1/u)3 − 2. Let x1 = Then

z −6 = −12 , u x+y

y1 =

x−y 36v = 36 . u x+y

y12 = x31 − 432.

It can be shown (this is somewhat nontrivial) that the only rational solutions to this equation are (x1 , y1 ) = (12, ±36), and ∞. The case y1 = 36 yields

37

SECTION 2.5 OTHER EQUATIONS FOR ELLIPTIC CURVES

x − y = x + y, so y = 0. Similarly, y1 = −36 yields x = 0. The point with (x1 , y1 ) = ∞ corresponds to x = −y, which means that z = 0. Therefore, there are no solutions to x3 + y 3 + z 3 = 0 when xyz
= 0.

2.5.3 Quartic Equations Occasionally, we will meet curves defined by equations of the form v 2 = au4 + bu3 + cu2 + du + e,

(2.6)

with a
= 0. If we have a point (p, q) lying on the curve with p, q ∈ K, then the equation (when it is nonsingular) can be transformed into a Weierstrass equation by an invertible change of variables that uses rational functions with coefficients in the field K. Note that an elliptic curve E defined over a field K always has a point in E(K), namely ∞ (whose projective coordinates (0 : 1 : 0) certainly lie in K). Therefore, if we are going to transform a curve C into Weierstrass form in such a way that all coefficients of the rational functions describing the transformation lie in K, then we need to start with a point on C that has coordinates in K. There are curves of the form (2.6) that do not have points with coordinates in K. This phenomenon will be discussed in more detail in Chapter 8. Suppose we have a curve defined by an equation (2.6) and suppose we have a point (p, q) lying on the curve. By changing u to u + p, we may assume p = 0, so the point has the form (0, q). First, suppose q = 0. If d = 0, then the curve has a singularity at (u, v) = (0, 0). Therefore, assume d
= 0. Then (

1 1 1 v 2 ) = d( )3 + c( )2 + b( ) + a. u2 u u u

This can be easily transformed into a Weierstrass equation in d/u and dv/u2 . The harder case is when q
= 0. We have the following result. THEOREM 2.17 Let K be a field of characteristic not 2. Consider the equation v 2 = au4 + bu3 + cu2 + du + q 2 with a, b, c, d, q ∈ K. Let x=

2q(v + q) + du , u2

y=

4q 2 (v + q) + 2q(du + cu2 ) − (d2 u2 /2q) . u3

Define a1 = d/q,

a2 = c − (d2 /4q 2 ),

a3 = 2qb,

a4 = −4q 2 a,

a6 = a2 a4 .

38

CHAPTER 2

Then

THE BASIC THEORY

y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 .

The inverse transformation is u=

2q(x + c) − (d2 /2q) , y

v = −q +

u(ux − d) . 2q

The point (u, v) = (0, q) corresponds to the point (x, y) = ∞ and (u, v) = (0, −q) corresponds to (x, y) = (−a2 , a1 a2 − a3 ). PROOF Most of the proof is a “straightforward” calculation that we omit. For the image of the point (0, −q), see [28]. Example 2.2 Consider the equation v 2 = u4 + 1.

(2.7)

Then a = 1, b = c = d = 0, and q = 1. If x=

2(v + 1) , u2

y=

4(v + 1) , u3

then we obtain the elliptic curve E given by y 2 = x3 − 4x. The inverse transformation is u = 2x/y,

v = −1 + (2x3 /y 2 ).

The point (u, v) = (0, 1) corresponds to ∞ on E, and (u, v) = (0, −1) corresponds to (0, 0). We will show in Chapter 8 that E(Q) = {∞, (0, 0), (2, 0), (−2, 0)}. These correspond to (u, v) = (0, 1), (0, −1), and points at infinity. Therefore, the only finite rational points on the quartic curve are (u, v) = (0, ±1). It is easy to deduce from this that the only integer solutions to a4 + b4 = c2 satisfy ab = 0. This yields Fermat’s Last Theorem for exponent 4. We will discuss this in more detail in Chapter 8. It is worth considering briefly the situation at infinity in u, v. If we make the equation (2.7) homogeneous, we obtain F (u, v, w) = v 2 w2 − u4 − w4 = 0.

SECTION 2.5 OTHER EQUATIONS FOR ELLIPTIC CURVES

39

The points at infinity have w = 0. To find them, we set w = 0 and get 0 = u4 , which means u = 0. We thus find only the point (u : v : w) = (0 : 1 : 0). But we have two points, namely (2, 0) and (−2, 0) in the corresponding Weierstrass model. The problem is that (u : v : w) = (0 : 1 : 0) is a singular point in the quartic model. At this point we have Fu = Fv = Fw = 0. What is happening is that the curve intersects itself at the point (u : v : w) = (0 : 1 : 0). One branch of the curve is v = +u2 1 + (1/u)4 and the other is v = −u2 1 + (1/u)4 . For simplicity, let’s work with real or complex numbers. If we substitute the second of these expressions into x = 2(v + 1)/u2 and take the limit as u → ∞, we obtain 2(1 − u2 1 + (1/u)4 ) 2(v + 1) = → −2. x= u2 u2 If we use the other branch, we find x → +2. So the transformation that changes the quartic equation into the Weierstrass equation has pulled apart the two branches (the technical term is “resolved the singularities”) at the singular point.

2.5.4 Intersection of Two Quadratic Surfaces The intersection of two quadratic surfaces in three-dimensional space, along with a point on this intersection, is usually an elliptic curve. Rather than work in full generality, we’ll consider pairs of equations of the form au2 + bv 2 = e,

cu2 + dw2 = f,

where a, b, c, d, e, f are nonzero elements of a field K of characteristic not 2. Each separate equation may be regarded as a surface in uvw-space, and they intersect in a curve. We’ll show that if we have a point P in the intersection, then we can transform this curve into an elliptic curve in Weierstrass form. Before analyzing the intersection of these two surfaces, let’s consider the first equation by itself. It can be regarded as giving a curve C in the uvplane. Let P = (u0 , v0 ) be a point on C. Let L be the line through P with slope m: u = u0 + t, v = v0 + mt. We want to find the other point where L intersects C. See Figure 2.6. Substitute into the equation for C and use the fact that au20 + bv02 = e to obtain a(2u0 t + t2 ) + b(2v0 mt + m2 t2 ) = 0.

40

CHAPTER 2

THE BASIC THEORY


u,v C L


u0 ,v0 

Figure 2.6

Since t = 0 corresponds to (u0 , v0 ), we factor out t and obtain t=−

2au0 + 2bv0 m . a + bm2

Therefore, u = u0 −

2au0 + 2bv0 m , a + bm2

v = v0 −

2amu0 + 2bv0 m2 . a + bm2

We make the convention that m = ∞ yields (u0 , −v0 ), which is what we get if we are working with real numbers and let m → ∞. Also, possibly the denominator a + bm2 vanishes, in which case we get points “at infinity” in the uv-projective plane (see Exercise 2.14). Note that if (u, v) is any point on C with coordinates in K, then the slope m of the line through (u, v) and P is in K (or is infinite). We have therefore obtained a bijection, modulo a few technicalities, between values of m (including ∞) and points on C (including points at infinity). The main point is that we have obtained a parameterization of the points on C. A similar procedure works for any conic section containing a point with coordinates in K. Which value of m corresponds to the original point (u0 , v0 )? Let m be the slope of the tangent line at (u0 , v0 ). The second point of intersection of the tangent line with the curve is again the point (u0 , v0 ), so this slope is the desired value of m. The value m = 0 yields the point (−u0 , v0 ). This can be seen from the formulas, or from the fact that the line through (−u0 , v0 ) and (u0 , v0 ) has slope 0. We now want to intersect C, regarded as a “cylinder” in uvw-space, with the surface cu2 + dw2 = f . Substitute the expression just obtained for u to obtain  2 2au0 + 2bv0 m 2 dw = f − c u0 − . a + bm2

SECTION 2.5 OTHER EQUATIONS FOR ELLIPTIC CURVES

41

This may be rewritten as d(w(a + bm2 ))2 = (a + bm2 )2 f − c(bu0 m2 − 2bv0 m − au0 )2 = (b2 f − cb2 u20 )m4 + · · · . This may now be changed to Weierstrass form by the procedure given earlier. Note that the leading coefficient b2 f − cb2 u20 equals b2 dw02 . If w0 = 0, then fourth degree polynomial becomes a cubic polynomial, so the equation just obtained is easily put into Weierstrass form. The leading term of this cubic polynomial vanishes if and only if v0 = 0. But in this case, the point (u0 , v0 , w0 ) = (u0 , 0, 0) is a singular point of the uvw curve – a situation that we should avoid (see Exercise 2.15). The procedure for changing “square = degree four polynomial” into Weierstrass form requires a point satisfying this equation. We could let m be the slope of the tangent line at (u0 , v0 ), which corresponds to the point (u0 , v0 ). The formula of Theorem 2.17 then requires that we shift the value of m to obtain m = 0. Instead, it’s easier to use m = 0 directly, since this value corresponds to (−u0 , v0 ), as pointed out above. Example 2.3 Consider the intersection u2 + v 2 = 2,

u2 + 4w2 = 5.

Let (u0 , v0 , w0 ) = (1, 1, 1). First, we parameterize the solutions to u2 +v 2 = 2. Let u = 1 + t, v = 1 + mt. This yields (1 + t)2 + (1 + mt)2 = 2, which yields t(2 + 2m) + t2 (1 + m2 ) = 0. Discarding the solution t = 0, we obtain t = −(2 + 2m)/(1 + m2 ), hence u=1−

2 + 2m m2 − 2m − 1 = , 2 1+m 1 + m2

v =1−m

2 + 2m 1 − 2m − m2 = . 2 1+m 1 + m2

Note that m = −1 corresponds to (u, v) = (1, 1) (this is because the tangent at this point has slope m = −1). Substituting into u2 + 4w2 = 5 yields 4(w(1 + m2 ))2 = 5(1 + m2 )2 − (m2 − 2m − 1)2 = 4m4 + 4m3 + 8m2 − 4m + 4. Letting r = w(1 + m2 ) yields r2 = m4 + m3 + 2m2 − m + 1. In Theorem 2.17, we use q = 1. The formulas then change this curve to the generalized Weierstrass equation 7 y 2 − xy + 2y = x3 + x2 − 4x − 7. 4

42

CHAPTER 2

THE BASIC THEORY

Completing the square yields y12 = x3 + 2x2 − 5x − 6, where y1 = y + 1 − 12 x.

2.6 Other Coordinate Systems The formulas for adding two points on an elliptic curve in Weierstrass form require 2 multiplications, 1 squaring, and 1 inversion in the field. Although finding inverses is fast, it is much slower than multiplication. In [27, p. 282], it is estimated that inversion takes between 9 and 40 times as long as multiplication. Moreover, squaring takes about 0.8 the time of multiplication. In many situations, this distinction makes no difference. However, if a central computer needs to verify many signatures in a second, such distinctions can become relevant. Therefore, it is sometimes advantageous to avoid inversion in the formulas for point addition. In this section, we discuss a few alternative formulas where this can be done.

2.6.1 Projective Coordinates A natural method is to write all the points as points (x : y : z) in projective space. By clearing denominators in the standard formulas for addition, we obtain the following: Let Pi = (xi : yi : zi ), i = 1, 2, be points on the elliptic curve y 2 z = 3 x + Axz 2 + Bz 3 . Then (x1 : y1 : z1 ) + (x2 : y2 : z2 ) = (x3 : y3 : z3 ), where x3 , y3 , z3 are computed as follows: When P1
= ±P2 , u = y 2 z1 − y 1 z2 , x3 = vw,

v = x2 z1 − x1 z2 ,

w = u2 z1 z2 − v 3 − 2v 2 x1 z2 ,

y3 = u(v 2 x1 z2 − w) − v 3 y1 z2 ,

z3 = v 3 z 1 z 2 .

When P1 = P2 , t = Az12 + 3x21 , x3 = 2uw,

u = y 1 z1 ,

v = ux1 y1 ,

y3 = t(4v − w) − 8y12 u2 ,

w = t2 − 8v, z3 = 8u3 .

When P1 = −P2 , we have P1 + P2 = ∞. Point addition takes 12 multiplications and 2 squarings, while point doubling takes 7 multiplications and 5 squarings. No inversions are needed. Since

SECTION 2.6 OTHER COORDINATE SYSTEMS

43

addition and subtraction are much faster than multiplication, we do not consider them in our analysis. Similarly, multiplication by a constant is not included.

2.6.2 Jacobian Coordinates A modification of projective coordinates leads to a faster doubling procedure. Let (x : y : z) represent the affine point (x/z 2 , y/z 3 ). This is somewhat natural since, as we’ll see in Chapter 11, the function x has a double pole at ∞ and the function y has a triple pole at ∞. The elliptic curve y 2 = x3 + Ax + B becomes y 2 = x3 + Axz 4 + Bz 6 . The point at infinity now has the coordinates ∞ = (1 : 1 : 0). Let Pi = (xi : yi : zi ), i = 1, 2, be points on the elliptic curve y 2 = 3 x + Axz 4 + Bz 6 . Then (x1 : y1 : z1 ) + (x2 : y2 : z2 ) = (x3 : y3 : z3 ), where x3 , y3 , z3 are computed as follows: When P1
= ±P2 , r = x1 z22 ,

s = x2 z12 , 3

2

t = y1 z23 , 2

x3 = −v − 2rv + w ,

u = y2 z13 , 3

v = s − r,

2

y3 = −tv + (rv − x3 )w,

w = u − t,

z3 = vz1 z2 .

When P1 = P2 , v = 4x1 y12 , x3 = −2v + w2 ,

w = 3x21 + Az14 ,

y3 = −8y14 + (v − x3 )w,

z3 = 2y1 z1 .

When P1 = −P2 , we have P1 + P2 = ∞. Addition of points takes 12 multiplications and 4 squarings. Doubling takes 3 multiplications and 6 squarings. There are no inversions. When A = −3, a further speed-up is possible in doubling: we have w = 3(x21 − z14 ) = 3(x1 + z12 )(x1 − z12 ), which can be computed in one squaring and one multiplication, rather than in 3 squarings. Therefore, doubling takes only 4 multiplications and 4 squarings in this case. The elliptic curves in NIST’s list of curves over fields Fp ([86], [48, p. 262]) have A = −3 for this reason. There are also situations where a point in one coordinate system can be efficiently added to a point in another coordinate system. For example, it takes only 8 multiplications and 3 squarings to add a point in Jacobian coordinates to one in affine coordinates. For much more on other choices for coordinates and on efficient point addition, see [48, Sections 3.2, 3.3] and [27, Sections 13.2, 13.3].

44

CHAPTER 2

THE BASIC THEORY

2.6.3 Edwards Coordinates In [36], Harold Edwards describes a form for elliptic curves that has certain computational advantages. The case with c = 1, d = −1 occurs in work of Euler and Gauss. Edwards restricts to the case d = 1. The more general form has subsequently been discussed by Bernstein and Lange [11]. PROPOSITION 2.18 Let K be a field of characteristic not 2. Let c, d ∈ K with c, d
= 0 and d not a square in K. The curve u2 + v 2 = c2 (1 + du2 v 2 )

C:

is isomorphic to the elliptic curve E:

y 2 = (x − c4 d − 1)(x2 − 4c4 d)

via the change of variables x=

−2c(w − c) , u2

y=

4c2 (w − c) + 2c(c4 d + 1)u2 , u3

where w = (c2 du2 − 1)v. The point (0, c) is the identity for the group law on C, and the addition law is   u 1 v2 + u 2 v1 v1 v2 − u 1 u 2 (u1 , v1 ) + (u2 , v2 ) = , c(1 + du1 u2 v1 v2 ) c(1 − du1 u2 v1 v2 ) for all points (ui , vi ) ∈ C(K). The negative of a point is −(u, v) = (−u, v). PROOF

Write the equation of the curve as

 u2 − c2 = c2 du2 − 1 v 2 =

w2 c2 du2

−1

.

This yields the curve w2 = c2 du4 − (c4 d + 1)u2 + c2 . The formulas in Section 2.5.3 then change this curve to Weierstrass form. The formula for the addition law can be obtained by a straightforward computation. It remains to show that the addition law is defined for all points in C(K). In other words, we need to show that the denominators are nonzero. Suppose

SECTION 2.7

45

THE j-INVARIANT

du1 v1 u2 v2 = −1. Then ui , vi
= 0 and u1 v1 = −1/du2 v2 . Substituting into the formula for C yields   1 u2 + v 2 u21 + v12 = c2 1 + 2 2 = 2 2 22 . du2 v2 du2 v2 Therefore, 2

(u1 + v1 ) = u21 + v12 + 2u1 v1 1 = d



u22 + v22 − 2u2 v2 u22 v22



2

=

1 (u2 − v2 ) . d (u2 v2 )2

Since d is not a square, this must reduce to 0 = 0, so u1 + v1 = 0. Similarly, 2 1 (u2 + v2 ) 2 , (u1 − v1 ) = d (u2 v2 )2 which implies that u1 − v1 = 0. Therefore, u1 = v1 = 0, which is a contradiction. The case where du1 v1 u2 v2 = 1 similarly produces a contradiction. Therefore, the addition formula is always defined for points in C(K). An interesting feature is that there are not separate formulas for 2P and P1 + P2 when P1
= P2 . The formula for adding points can be written in projective coordinates. The resulting computation takes 10 multiplications and 1 squaring for both point addition and point doubling. Although any elliptic curve can be put into the form of the proposition over an algebraically closed field, this often cannot be done over the base field. An easy way to see this is that there is a point of order 2. In fact, the point (c, 0) on C has order 4 (Exercise 2.7), so a curve that can be put into Edwards form over a field must have a point of order 4 defined over that field.

2.7 The j-invariant Let E be the elliptic curve given by y 2 = x3 + Ax + B, where A, B are elements of a field K of characteristic not 2 or 3. If we let x1 = µ2 x,

y1 = µ3 y,

×

with µ ∈ K , then we obtain y12 = x31 + A1 x1 + B1 ,

(2.8)

46

CHAPTER 2

with

THE BASIC THEORY

A1 = µ4 A, B1 = µ6 B.

(In the generalized Weierstrass equation y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 , this change of variables yields new coefficients µi ai . This explains the numbering of the coefficients.) Define the j-invariant of E to be j = j(E) = 1728

4A3 . 4A3 + 27B 2

Note that the denominator is the negative of the discriminant of the cubic, hence is nonzero by assumption. The change of variables (2.8) leaves j unchanged. The converse is true, too. THEOREM 2.19 Let y12 = x31 + A1 x1 + B1 and y22 = x32 + A2 x2 + B2 be two elliptic curves with j-invariants j1 and j2 , respectively. If j1 = j2 , then there exists µ
= 0 in K (= algebraic closure of K) such that A2 = µ4 A1 , The transformation

x2 = µ2 x1 ,

B2 = µ6 B1 . y2 = µ3 y1

takes one equation to the other. PROOF First, assume that A1
= 0. Since this is equivalent to j1
= 0, we also have A2
= 0. Choose µ such that A2 = µ4 A1 . Then 4A32 4A31 4µ−12 A32 4A32 = = = , 4A32 + 27B22 4A31 + 27B12 4µ−12 A32 + 27B12 4A32 + 27µ12 B12 which implies that

B22 = (µ6 B1 )2 .

Therefore B2 = ±µ6 B1 . If B2 = µ6 B1 , we’re done. If B2 = −µ6 B1 , then change µ to iµ (where i2 = −1). This preserves the relation A2 = µ4 A1 and also yields B2 = µ6 B1 . If A1 = 0, then A2 = 0. Since 4A3i + 27Bi2
= 0, we have B1 , B2
= 0. Choose µ such that B2 = µ6 B1 . There are two special values of j that arise quite often: 1. j = 0: In this case, the elliptic curve E has the form y 2 = x3 + B. 2. j = 1728: In this case, the elliptic curve has the form y 2 = x3 + Ax.

SECTION 2.8 ELLIPTIC CURVES IN CHARACTERISTIC 2

47

The first one, with B = −432, was obtained in Section 2.5.2 from the Fermat equation x3 + y 3 + z 3 = 0. The second curve, once with A = −25 and once with A = −4, appeared in Chapter 1. The curves with j = 0 and with j = 1728 have automorphisms (bijective group homomorphisms from the curve to itself) other than the one defined by (x, y) → (x, −y), which is an automorphism for any elliptic curve in Weierstrass form. 1. y 2 = x3 + B has the automorphism (x, y) → (ζx, −y), where ζ is a nontrivial cube root of 1. 2. y 2 = x3 + Ax has the automorphism (x, y) → (−x, iy), where i2 = −1. (See Exercise 2.17.) Note that the j-invariant tells us when two curves are isomorphic over an algebraically closed field. However, if we are working with a nonalgebraically closed field K, then it is possible to have two curves with the same j-invariant that cannot be transformed into each other using rational functions with coefficients in K. For example, both y 2 = x3 − 25x and y 2 = x3 − 4x have j = 1728. The first curve has infinitely points with coordinates in Q, for example, all integer multiples of (−4, 6) (see Section 8.4). The only rational points on the second curve are ∞, (2, 0), (−2, 0), and (0, 0) (see Section 8.4). Therefore, we cannot change one curve into the other using√only rational functions defined over Q. Of course, we can use the field √ Q( 10) to change one curve to the other via (x, y) → (µ2 x, µ3 y), where µ = 10/2. If two different elliptic curves defined over a field K have the same jinvariant, then we say that the two curves are twists of each other. Finally, we note that j is the j-invariant of 2j 3j x+ (2.9) y 2 = x3 + 1728 − j 1728 − j when j
= 0, 1728. Since y 2 = x3 + 1 and y 2 = x3 + x have j-invariants 0 and 1728, we find the j-invariant gives a bijection between elements of K and K-isomorphism classes of elliptic curves defined over K (that is, each j ∈ K corresponds to an elliptic curve defined over K, and any two elliptic curves defined over K and with the same j-invariant can be transformed into each other by a change of variables (2.8) defined over K). If the characteristic of K is 2 or 3, the j-invariant can also be defined, and results similar to the above one hold. See Section 2.8 and Exercise 2.18.

2.8 Elliptic Curves in Characteristic 2 Since we have been using the Weierstrass equation rather than the generalized Weierstrass equation in most of the preceding sections, the formulas

48

CHAPTER 2

THE BASIC THEORY

given do not apply when the field K has characteristic 2. In this section, we sketch what happens in this case. Note that the Weierstrass equation is singular. Let f (x, y) = y 2 − x3 − Ax − B. Then fy = 2y = 0, since 2 = 0 in characteristic 2. Let x0 be a root (possibly in some extension of K) of fx = −3x2 − A = 0 and let y0 be the square root of x30 + Ax0 + B. Then (x0 , y0 ) lies on the curve and fx (x0 , y0 ) = fy (x0 , y0 ) = 0. Therefore, we work with the generalized Weierstrass equation for an elliptic curve E: y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 . If a1
= 0, then the change of variables x = a21 x1 + (a3 /a1 ),

2 2 y = a31 y1 + a−3 1 (a1 a4 + a3 )

changes the equation to the form y12 + x1 y1 = x31 + a
2 x21 + a
6 . This curve is nonsingular if and only if a
6
= 0. The j-invariant in this case is defined to be 1/a
6 (more precisely, there are formulas for the j-invariant of the generalized Weierstrass form, and these yield 1/a
6 in this case). If a1 = 0, we let x = x1 + a2 , y = y1 to obtain an equation of the form y12 + a
3 y1 = x31 + a
4 x1 + a
6 . This curve is nonsingular if and only if a
3
= 0. The j-invariant is defined to be 0. Let’s return to the generalized Weierstrass equation and look for points at infinity. Make the equation homogeneous: y 2 z + a1 xyz + a3 yz 2 = x3 + a2 x2 z + a4 xz 2 + a6 z 3 . Now set z = 0 to obtain 0 = x3 . Therefore, ∞ = (0 : 1 : 0) is the only point at infinity on E, just as with the standard Weierstrass equation. A line L through (x0 , y0 ) and ∞ is a vertical line x = x0 . If (x0 , y0 ) lies on E then the other point of intersection of L and E is (x0 , −a1 x0 − a3 − y0 ). See Exercise 2.9. We can now describe addition of points. Of course, P + ∞ = P , for all points P . Three points P, Q, R add to ∞ if and only if they are collinear. The negation of a point is given by −(x, y) = (x, −a1 x − a3 − y). To add two points P1 and P2 , we therefore proceed as follows. Draw the line L through P1 and P2 (take the tangent if P1 = P2 ). It will intersect E in a third point P3
. Now compute P3 = −P3
by the formula just given (do not simply reflect across the x-axis). Then P1 + P2 = P3 .

SECTION 2.8 ELLIPTIC CURVES IN CHARACTERISTIC 2

49

The proof that this addition law is associative is the same as that given in Section 2.4. The points on E, including ∞, therefore form an abelian group. Since we will need it later, let’s look at the formula for doubling a point in characteristic 2. To keep the formulas from becoming too lengthy, we’ll treat separately the two cases obtained above. 1. y 2 + xy = x3 + a2 x2 + a6 . Rewrite this as y 2 + xy + x3 + a2 x2 + a6 = 0 (remember, we are in characteristic 2). Implicit differentiation yields xy
+ (y + x2 ) = 0 (since 2 = 0 and 3 = 1). Therefore the slope of the line L through P = (x0 , y0 ) is m = (y0 + x20 )/x0 . The line is y = m(x − x0 ) + y0 = mx + b for some b. Substitute to find the intersection (x1 , y1 ) of L and E: 0 = (mx + b)2 + x(mx + b) + x3 + a2 x2 + a6 = x3 + (m2 + m + a2 )x2 + · · · . The sum x0 + x0 + x1 of the roots is (m2 + m + a2 ), so we obtain x1 = m2 + m + a2 =

y02 + x40 + x0 y0 + x30 + a2 x20 x4 + a6 = 0 2 2 x0 x0

(since y02 = x0 y0 + x30 + a2 x20 + a6 ). The y-coordinate of the intersection is y1 = m(x1 − x0 ) + y0 . The point (x1 , y1 ) equals −2P . Therefore 2P = (x2 , y2 ), with x2 = (x40 + a6 )/x20 ,

y2 = −x1 − y1 = x1 + y1 .

2. y 2 + a3 y = x3 + a4 x + a6 . Rewrite this as y 2 + a3 y + x3 + a4 x + a6 = 0. Implicit differentiation yields a3 y
+ (x2 + a4 ) = 0. Therefore the tangent line L is y = m(x − x0 ) + y0 ,

with

m=

x20 + a4 . a3

Substituting and solving, as before, finds the point of intersection (x1 , y1 ) of L and E, where x4 + a2 x1 = m2 = 0 2 4 a3 and y1 = m(x1 − x0 ) + y0 . Therefore, 2P = (x2 , y2 ) with x2 = (x40 + a24 )/a23 ,

y2 = a3 + y1 .

50

CHAPTER 2

THE BASIC THEORY

2.9 Endomorphisms The main purpose of this section is to prove Proposition 2.21, which will be used in the proof of Hasse’s theorem in Chapter 4. We’ll also prove a few technical results on separable endomorphisms. The reader willing to believe that every endomorphism used in this book is separable, except for powers of the Frobenius map and multiplication by multiples of p in characteristic p, can safely omit the technical parts of this section. By an endomorphism of E, we mean a homomorphism α : E(K) → E(K) that is given by rational functions. In other words, α(P1 +P2 ) = α(P1 )+α(P2 ), and there are rational functions (quotients of polynomials) R1 (x, y), R2 (x, y) with coefficients in K such that α(x, y) = (R1 (x, y), R2 (x, y)) for all (x, y) ∈ E(K). There are a few technicalities when the rational functions are not defined at a point. These will be dealt with below. Of course, since α is a homomorphism, we have α(∞) = ∞. We will also assume that α is nontrivial; that is, there exists some (x, y) such that α(x, y)
= ∞. The trivial endomorphism that maps every point to ∞ will be denoted by 0. Example 2.4 Let E be given by y 2 = x3 + Ax + B and let α(P ) = 2P . Then α is a homomorphism and α(x, y) = (R1 (x, y), R2 (x, y)) , where 

3x2 + A 2y

2

− 2x  2   2 2 3x + A 3x + A − y. R2 (x, y) = 3x − 2y 2y R1 (x, y) =

Since α is a homomorphism given by rational functions it is an endomorphism of E. It will be useful to have a standard form for the rational functions describing an endomorphism. For simplicity, we assume that our elliptic curve is given in Weierstrass form. Let R(x, y) be any rational function. Since y 2 = x3 +Ax+B for all (x, y) ∈ E(K), we can replace any even power of y by a polynomial in x and replace any odd power of y by y times a polynomial in x and obtain a

SECTION 2.9

ENDOMORPHISMS

51

rational function that gives the same function as R(x, y) on points in E(K). Therefore, we may assume that R(x, y) =

p1 (x) + p2 (x)y . p3 (x) + p4 (x)y

Moreover, we can rationalize the denominator by multiplying the numerator and denominator by p3 − p4 y and then replacing y 2 by x3 + Ax + B. This yields R(x, y) =

q1 (x) + q2 (x)y . q3 (x)

(2.10)

Consider an endomorphism given by α(x, y) = (R1 (x, y), R2 (x, y)), as above. Since α is a homomorphism, α(x, −y) = α(−(x, y)) = −α(x, y). This means that R1 (x, −y) = R1 (x, y)

and

R2 (x, −y) = −R2 (x, y).

Therefore, if R1 is written in the form (2.10), then q2 (x) = 0, and if R2 is written in the form (2.10), then the corresponding q1 (x) = 0. Therefore, we may assume that α(x, y) = (r1 (x), r2 (x)y) with rational functions r1 (x), r2 (x). We can now say what happens when one of the rational functions is not defined at a point. Write r1 (x) = p(x)/q(x) with polynomials p(x) and q(x) that do not have a common factor. If q(x) = 0 for some point (x, y), then we assume that α(x, y) = ∞. If q(x)
= 0, then Exercise 2.19 shows that r2 (x) is defined; hence the rational functions defining α are defined. We define the degree of α to be deg(α) = Max{deg p(x), deg q(x)} if α is nontrivial. When α = 0, let deg(0) = 0. Define α
= 0 to be a separable endomorphism if the derivative r1
(x) is not identically zero. This is equivalent to saying that at least one of p
(x) and q
(x) is not identically zero. See Exercise 2.22. (In characteristic 0, a nonconstant polynomial will

52

CHAPTER 2

THE BASIC THEORY

have nonzero derivative. In characteristic p > 0, the polynomials with zero derivative are exactly those of the form g(xp ).) Example 2.5 We continue with the previous example, where α(P ) = 2P . We have  2 2 3x + A R1 (x, y) = − 2x. 2y The fact that y 2 = x3 + Ax + B, plus a little algebraic manipulation, yields r1 (x) =

x4 − 2Ax2 − 8Bx + A2 . 4(x3 + Ax + B)

(This is the same as the expression in terms of division polynomials that will be given in Section 3.2.) Therefore, deg(α) = 4. The polynomial q
(x) = 4(3x2 + A) is not zero (including in characteristic 3, since if A = 0 then x3 + B has multiple roots, contrary to assumption). Therefore α is separable.

Example 2.6 Let’s repeat the previous example, but in characteristic 2. We’ll use the formulas from Section 2.8 for doubling a point. First, let’s look at y 2 + xy = x3 + a2 x2 + a6 . We have α(x, y) = (r1 (x), R2 (x, y)) with r1 (x) = (x4 + a6 )/x2 . Therefore deg(α) = 4. Since p
(x) = 4x3 = 0 and q
(x) = 2x = 0, the endomorphism α is not separable. Similarly, in the case y 2 +a3 y = x3 +a4 x+a6 , we have r1 (x) = (x4 +a24 )/a23 . Therefore, deg(α) = 4, but α is not separable. In general, in characteristic p, the map α(Q) = pQ has degree p2 and is not separable. The statement about the degree is Corollary 3.7. The fact that α is not separable is proved in Proposition 2.28. An important example of an endomorphism is the Frobenius map. Suppose E is defined over the finite field Fq . Let φq (x, y) = (xq , y q ). The Frobenius map φq plays a crucial role in the theory of elliptic curves over Fq . LEMMA 2.20 Let E be defined over Fq . Then φq is an endomorphism of E of degree q, and φq is not separable.

SECTION 2.9

ENDOMORPHISMS

53

PROOF Since φq (x, y) = (xq , y q ), the map is given by rational functions (in fact, by polynomials) and the degree is q. The main point is that φq : E(Fq ) → E(Fq ) is a homomorphism. Let (x1 , y1 ), (x2 , y2 ) ∈ E(Fq ) with x1
= x2 . The sum is (x3 , y3 ), with x3 = m2 − x1 − x2 ,

y3 = m(x1 − x3 ) − y1 ,

where m =

y2 − y1 x2 − x1

(we are working with the Weierstrass form here; the proof for the generalized Weierstrass form is essentially the same). Raise everything to the qth power to obtain 2

xq3 = m
− xq1 − xq2 ,

y3q = m
(xq1 − xq3 ) − y1q ,

where m
=

y2q − y1q . xq2 − xq1

This says that φq (x3 , y3 ) = φq (x1 , y1 ) + φq (x2 , y2 ). The cases where x1 = x2 or where one of the points is ∞ are checked similarly. However, there is one subtlety that arises when adding a point to itself. The formula says that 2(x1 , y1 ) = (x3 , y3 ), with x3 = m2 − 2x1 ,

y3 = m(x1 − x3 ) − y1 ,

where m =

3x21 + A . 2y1

When this is raised to the qth power, we obtain 2

xq3 = m
− 2xq1 ,

y3q = m
(xq1 − xq3 ) − y1q ,

where m
=

3q (xq1 )2 + Aq . 2q y1q

Since 2, 3, A ∈ Fq , we have 2q = 2, 3q = 3, Aq = A. This means that we obtain the formula for doubling the point (xq1 , y1q ) on E (if Aq didn’t equal A, we would be working on a new elliptic curve with Aq in place of A). Since φq is a homomorphism given by rational functions, it is an endomorphism of E. Since q = 0 in Fq , the derivative of xq is identically zero. Therefore, φq is not separable. The following result will be crucial in the proof of Hasse’s theorem in Chapter 4 and in the proof of Theorem 3.2. PROPOSITION 2.21 Let α
= 0 be a separable endomorphism of an elliptic curve E. Then deg α = #Ker(α), where Ker(α) is the kernel of the homomorphism α : E(K) → E(K). If α
= 0 is not separable, then deg α > #Ker(α).

54

CHAPTER 2

THE BASIC THEORY

PROOF Write α(x, y) = (r1 (x), yr2 (x)) with r1 (x) = p(x)/q(x), as above. Then r1

= 0, so p
q − pq
is not the zero polynomial. Let S be the set of x ∈ K such that (pq
−p
q)(x) q(x) = 0. Let (a, b) ∈ E(K) be such that 1. a
= 0, b
= 0, (a, b)
= ∞, 2. deg (p(x) − aq(x)) = Max{deg(p), deg(q)} = deg(α), 3. a
∈ r1 (S), and 4. (a, b) ∈ α(E(K)). Since pq
−p
q is not the zero polynomial, S is a finite set, hence its image under α is finite. The function r1 (x) is easily seen to take on infinitely many distinct values as x runs through K. Since, for each x, there is a point (x, y) ∈ E(K), we see that α(E(K)) is an infinite set. Therefore, such an (a, b) exists. We claim that there are exactly deg(α) points (x1 , y1 ) ∈ E(K) such that α(x1 , y1 ) = (a, b). For such a point, we have p(x1 ) = a, q(x1 )

y1 r2 (x1 ) = b.

Since (a, b)
= ∞, we must have q(x1 )
= 0. By Exercise 2.19, r2 (x1 ) is defined. Since b
= 0 and y1 r2 (x1 ) = b, we must have y1 = b/r2 (x1 ). Therefore, x1 determines y1 in this case, so we only need to count values of x1 . By assumption (2), p(x) − aq(x) = 0 has deg(α) roots, counting multiplicities. We therefore must show that p − aq has no multiple roots. Suppose that x0 is a multiple root. Then p(x0 ) − aq(x0 ) = 0

and

p
(x0 ) − aq
(x0 ) = 0.

Multiplying the equations p = aq and aq
= p
yields ap(x0 )q
(x0 ) = ap
(x0 )q(x0 ). Since a
= 0, this implies that x0 is a root of pq
− p
q, so x0 ∈ S. Therefore, a = r1 (x0 ) ∈ r1 (S), contrary to assumption. It follows that p − aq has no multiple roots, and therefore has deg(α) distinct roots. Since there are exactly deg(α) points (x1 , y1 ) with α(x1 , y1 ) = (a, b), the kernel of α has deg(α) elements. Of course, since α is a homomorphism, for each (a, b) ∈ α(E(K)), there are exactly deg(α) points (x1 , y1 ) with α(x1 , y1 ) = (a, b). The assumptions on (a, b) were made during the proof to obtain this result for at least one point, which suffices. If α is not separable, then the steps of the above proof hold, except that p
− aq
is always the zero polynomial, so p(x) − aq(x) = 0 always has multiple roots and therefore has fewer than deg(α) solutions.

SECTION 2.9

ENDOMORPHISMS

55

THEOREM 2.22 Let E be an elliptic curve defined over a field K. Let α
= 0 be an endomorphism of E. Then α : E(K) → E(K) is surjective. REMARK 2.23 We definitely need to be working with K instead of K in the theorem. For example, the Mordell-Weil theorem (Theorem 8.17) implies that multiplication by 2 cannot be surjective on E(Q) if there is a point in E(Q) of infinite order. Intuitively, working with an algebraically closed field allows us to solve the equations defining α in order to find the inverse image of a point. PROOF Let (a, b) ∈ E(K). Since α(∞) = ∞, we may assume that (a, b)
= ∞. Let r1 (x) = p(x)/q(x) be as above. If p(x) − aq(x) is not a constant polynomial, then it has a root x0 . Since p and q have no common roots, q(x0 )
= 0. Choose y0 ∈ K to be either square root of x30 + Ax0 + B. Then α(x0 , y0 ) is defined (Exercise 2.19) and equals (a, b
) for some b
. Since 2 b
= a3 + Aa + B = b2 , we have b = ±b
. If b
= b, we’re done. If b
= −b, then α(x0 , −y0 ) = (a, −b
) = (a, b). We now need to consider the case when p − aq is constant. Since E(K) is infinite and the kernel of α is finite, only finitely many points of E(K) can map to a point with a given x-coordinate. Therefore, either p(x) or q(x) is not constant. If p and q are two nonconstant polynomials, then there is at most one constant a such that p − aq is constant (if a
is another such number, then (a
−a)q = (p−aq)−(p−a
q) is constant and (a
−a)p = a
(p−aq)−a(p−a
q) is constant, which implies that p and q are constant). Therefore, there are at most two points, (a, b) and (a, −b) for some b, that are not in the image of α. Let (a1 , b1 ) be any other point. Then α(P1 ) = (a1 , b1 ) for some P1 . We can choose (a1 , b1 ) such that (a1 , b1 ) + (a, b)
= (a, ±b), so there exists P2 with α(P2 ) = (a1 , b1 ) + (a, b). Then α(P2 − P1 ) = (a, b), and α(P1 − P2 ) = (a, −b). Therefore, α is surjective. For later applications, we need a convenient criterion for separability. If (x, y) is a variable point on y 2 = x3 + Ax + B, then we can differentiate y with respect to x: 2yy
= 3x2 + A. Similarly, we can differentiate a rational function f (x, y) with respect to x: d f (x, y) = fx (x, y) + fy (x, y)y
, dx where fx and fy denote the partial derivatives.

56

CHAPTER 2

THE BASIC THEORY

LEMMA 2.24 Let E be the elliptic curve y 2 = x3 + Ax + B. Fix a point (u, v) on E. Write (x, y) + (u, v) = (f (x, y), g(x, y)), where f (x, y) and g(x, y) are rational functions of x, y (the coefficients depend on (u, v)) and y is regarded as a function of x satisfying dy/dx = (3x2 + A)/(2y). Then d 1 dx f (x, y) = . g(x, y) y PROOF

The addition formulas give 

2 y−v −x−u x−u −(y − v)3 + x(y − v)(x − u)2 + 2u(y − v)(x − u)2 − v(x − u)3 g(x, y) = (x − u)3 d 2y
(y − v)(x − u) − 2(y − v)2 − (x − u)3 f (x, y) = . dx (x − u)3 f (x, y) =

A straightforward but lengthy calculation, using the fact that 2yy
= 3x2 + A, yields d f (x, y) − g(x, y)) dx = v(Au + u3 − v 2 − Ax − x3 + y 2 ) + y(−Au − u3 + v 2 + Ax + x3 − y 2 ). (x − u)3 (y

Since (u, v) and (x, y) are on E, we have v 2 = u3 +Au+B and y 2 = x3 +Ax+B. Therefore, the above expression becomes v(−B + B) + y(B − B) = 0. d Therefore, y dx f (x, y) = g(x, y).

REMARK 2.25 Lemma 2.24 is perhaps better stated in terms of differentials. It says that the differential dx/y is translation invariant. In fact, it is the unique translation invariant differential, up to scalar multiples, for E. See [109]. LEMMA 2.26 Let α1 , α2 , α3 be nonzero endomorphisms of an elliptic curve E with α1 +α2 = α3 . Write αj (x, y) = (Rαj (x), ySαj (x)).

SECTION 2.9

ENDOMORPHISMS

57

Suppose there are constants cα1 , cα2 such that
Rα (x) 1 = cα1 , Sα1 (x)

Then

PROOF


Rα (x) 2 = cα2 . Sα2 (x)


Rα (x) 3 = cα1 + cα2 . Sα3 (x)

Let (x1 , y1 ) and (x2 , y2 ) be variable points on E. Write (x3 , y3 ) = (x1 , y1 ) + (x2 , y2 ),

where (x1 , y1 ) = α1 (x, y),

(x2 , y2 ) = α2 (x, y).

Then x3 and y3 are rational functions of x1 , y1 , x2 , y2 , which in turn are rational functions of x, y. By Lemma 2.24, with (u, v) = (x2 , y2 ), ∂x3 ∂x3 dy1 y3 + = . ∂x1 ∂y1 dx1 y1 Similarly, ∂x3 ∂x3 dy2 y3 + = . ∂x2 ∂y2 dx2 y2 By assumption, dxj yj = cαj dx y for j = 1, 2. By the chain rule, ∂x3 dx1 ∂x3 dy1 dx1 ∂x3 dx2 ∂x3 dy2 dx2 dx3 = + + + dx ∂x1 dx ∂y1 dx1 dx ∂x2 dx ∂y2 dx2 dx y3 y2 y3 y1 cα + cα = y1 y 1 y2 y 2 y3 = (cα1 + cα2 ) . y Dividing by y3 /y yields the result. REMARK 2.27 In terms of differentials (see the previous Remark), we have (dx/y)◦α is a translation-invariant differential on E. Therefore it must be a scalar multiple cα dx/y of dx/y. It follows that every nonzero endomorphism α satisfies the hypotheses of Lemma 2.26.

58

CHAPTER 2

THE BASIC THEORY

PROPOSITION 2.28 Let E be an elliptic curve defined over a field K, and let n be a nonzero integer. Suppose that multiplication by n on E is given by n(x, y) = (Rn (x), ySn (x)) for all (x, y) ∈ E(K), where Rn and Sn are rational functions. Then Rn
(x) = n. Sn (x) Therefore, multiplication by n is separable if and only if n is not a multiple of the characteristic p of the field.
PROOF Since R−n = Rn and S−n = −Sn , we have R−n /S−n = −Rn
/Sn . Therefore, the result for positive n implies the result for negative n. Note that the first part of the proposition is trivially true for n = 1. If it is true for n, then Lemma 2.26 implies that it is true for n + 1, which is the
Rn (x) = n for all n. sum of n and 1. Therefore, S(x)
We have Rn (x)
= 0 if and only if n = Rn
(x)/Sn (x)
= 0, which is equivalent to p not dividing n. Since the definition of separability is that Rn

= 0, this proves the second part of the proposition.

Finally, we use Lemma 2.26 to prove a result that will be needed in Sections 3.2 and 4.2. Let E be an elliptic curve defined over a finite field Fq . The Frobenius endomorphism φq is defined by φq (x, y) = (xq , y q ). It is an endomorphism of E by Lemma 2.20. PROPOSITION 2.29 Let E be an elliptic curve defined over Fq , where q is a power of the prime p. Let r and s be integers, not both 0. The endomorphism rφq + s is separable if and only if p
s. PROOF

Write the multiplication by r endomorphism as r(x, y) = (Rr (x), ySr (x)).

Then (Rrφq (x), ySrφq (x)) = (φq r)(x, y) = (Rrq (x), y q Srq (x))   = Rrq (x), y(x3 + Ax + B)(q−1)/2 Srq (x) . Therefore,


/Srφq = qRrq−1 Rr
/Srφq = 0. crφq = Rrφ q

SECTION 2.10 SINGULAR CURVES

59

Also, cs = Rs
/Ss = s by Proposition 2.28. By Lemma 2.26,
/Srφq +s = crφq +s = crφq + cs = 0 + s = s. Rrφ q +s

= 0 if and only if p
s. Therefore, Rrφ q +s

2.10 Singular Curves We have been working with y 2 = x3 + Ax + B under the assumption that x + Ax + B has distinct roots. However, it is interesting to see what happens when there are multiple roots. It will turn out that elliptic curve addition becomes either addition of elements in K or multiplication of elements in K × or in a quadratic extension of K. This means that an algorithm for a group E(K) arising from elliptic curves, such as one to solve a discrete logarithm problem (see Chapter 5), will probably also apply to these more familiar situations. See also Chapter 7. Moreover, as we’ll discuss briefly at the end of this section, singular curves arise naturally when elliptic curves defined over the integers are reduced modulo various primes. We first consider the case where x3 + Ax + B has a triple root at x = 0, so the curve has the equation y 2 = x3 . 3

The point (0, 0) is the only singular point on the curve (see Figure 2.7). Since

Figure 2.7

y 2 = x3 any line through this point intersects the curve in at most one other point,

60

CHAPTER 2

THE BASIC THEORY

(0, 0) causes problems if we try to include it in our group. So we leave it out. The remaining points, which we denote Ens (K), form a group, with the group law defined in the same manner as when the cubic has distinct roots. The only thing that needs to be checked is that the sum of two points cannot be (0, 0). But since a line through (0, 0) has at most one other intersection point with the curve, a line through two nonsingular points cannot pass through (0, 0) (this will also follow from the proof of the theorem below). THEOREM 2.30 Let E be the curve y 2 = x3 and let Ens (K) be the nonsingular points on this curve with coordinates in K, including the point ∞ = (0 : 1 : 0). The map Ens (K) → K,

(x, y) →

x , y

∞ → 0

is a group isomorphism between Ens (K) and K, regarded as an additive group. PROOF Let t = x/y. Then x = (y/x)2 = 1/t2 and y = x/t = 1/t3 . Therefore we can express all of the points in Ens (K) in terms of the parameter t. Let t = 0 correspond to (x, y) = ∞. It follows that the map of the theorem is a bijection. (Note that 1/t is the slope of the line through (0, 0) and (x, y), so this parameterization is obtained similarly to the one obtained for quadratic curves in Section 2.5.4.) Suppose (x1 , y1 ) + (x2 , y2 ) = (x3 , y3 ). We must show that t1 + t2 = t3 , where ti = xi /yi . If (x1 , y1 )
= (x2 , y2 ), the addition formulas say that
x3 =

y2 − y1 x2 − x1

2 − x1 − x2 .

Substituting xi = 1/t2i and yi = 1/t3i yields t−2 3


=

−3 t−3 2 − t1 −2 t−2 2 − t1

2

−2 − t−2 1 − t2 .

A straightforward calculation simplifies this to −2 . t−2 3 = (t1 + t2 )

Similarly,


−y3 =

y2 − y1 x2 − x1

 (x3 − x1 ) + y1

may be rewritten in terms of the ti to yield −3 t−3 . 3 = (t1 + t2 )

SECTION 2.10 SINGULAR CURVES

61

−3 Taking the ratio of the expressions for t−2 3 and t3 gives

t3 = t1 + t 2 , as desired. If (x1 , y1 ) = (x2 , y2 ), the proof is similar. Finally, the cases where one or more of the points (xi , yi ) = ∞ are easily checked.

Figure 2.8

y 2 = x3 + x2 We now consider the case where x3 + Ax + B has a double root. By translating x, we may assume that this root is 0 and the curve E has the equation y 2 = x2 (x + a) for some a
= 0. The point (0, 0) is the only singularity (see Figure 2.8). Let Ens (K) be the nonsingular points on E with coordinates in K, including the point ∞. Let α2 = a (so α might lie in an extension of K). The equation for E may be rewritten as  y 2 = a + x. x When x is near 0, the right side of this equation is approximately a. Therefore, E is approximated by (y/x)2 = a, or y/x = ±α near x = 0. This means that the two “tangents” to E at (0, 0) are y = αx

and

y = −αx

(for a different way to obtain these tangents, see Exercise 2.20).

62

CHAPTER 2

THE BASIC THEORY

THEOREM 2.31
a ∈ K. Let Ens (K) be the Let E be the curve y 2 = x2 (x + a) with 0 = nonsingular points on E with coordinates in K. Let α2 = a. Consider the map y + αx , ∞→  1. ψ : (x, y) → y − αx 1. If α ∈ K, then ψ gives an isomorphism from Ens (K) to K × , considered as a multiplicative group. 2. If α
∈ K, then ψ gives an isomorphism Ens (K)  {u + αv | u, v ∈ K, u2 − av 2 = 1}, where the right hand side is a group under multiplication. PROOF

Let t=

y + αx . y − αx

This may be solved for y/x to obtain y t+1 =α . x t−1 Since x + a = (y/x)2 , we obtain x=

4α2 t (t − 1)2

and

y=

4α3 t(t + 1) (t − 1)3

(the second is obtained from the first using y = x(y/x)). Therefore, (x, y) determines t and t determines (x, y), so the map ψ is injective, and is a bijection in case (1). In case (2), rationalize the denominator by multiplying the numerator and denominator of (y + αx)/(y − αx) by y + αx to obtain an expression of the form u + αv: (y + αx) = u + αv. (y − αx) We can change the sign of α throughout this equation and preserve the equality. Now multiply the resulting expression by the original to obtain u2 − av 2 = (u + αv)(u − αv) =

(y + αx) (y − αx) = 1. (y − αx) (y + αx)

Conversely, suppose u2 − av 2 = 1. Let
x=

u+1 v




2 − a,

y=

u+1 v

 x.

63

SECTION 2.10 SINGULAR CURVES

Then (x, y) is on the curve E and ψ(x, y) =

u + 1 + αv (y/x) + α = = u + αv (y/x) − α u + 1 − αv

(the last equality uses the fact that u2 − av 2 = 1). Therefore, ψ is surjective, hence is a bijection in case (2), too. It remains to show that ψ is a homomorphism. Suppose (x1 , y1 )+(x2 , y2 ) = (x3 , y3 ). Let yi + αxi ti = . yi − αxi We must show that t1 t2 = t3 . When (x1 , y1 )
= (x2 , y2 ), we have
2 y2 − y1 − a − x1 − x2 . x3 = x2 − x1 Substituting xi =

4α2 ti 4α3 ti (ti + 1) and y = and simplifying yields i (ti − 1)2 (ti − 1)3 4t3 4t1 t2 = . (t3 − 1)2 (t1 t2 − 1)2

Similarly,


−y3 =

yields

y2 − y1 x2 − x1

(2.11)

 (x3 − x1 ) + y1

4α3 t3 (t3 + 1) 4α3 t1 t2 (t1 t2 + 1) = . (t3 − 1)3 (t1 t2 − 1)3

The ratio of this equation and (2.11) yields t1 t2 − 1 t3 − 1 = . t3 + 1 t1 t2 + 1 This simplifies to yield t1 t2 = t3 , as desired. The case where (x1 , y1 ) = (x2 , y2 ) is similar, and the cases where one or more of the points is ∞ are trivial. This completes the proof. One situation where the above singular curves arise naturally is when we are working with curves with integral coefficients and reduce modulo various primes. For example, let E be y 2 = x(x + 35)(x − 55). Then we have E mod 5 : y 2 ≡ x3 , E mod 7 : y 2 ≡ x2 (x + 1), E mod 11 : y 2 ≡ x2 (x + 2).

64

CHAPTER 2

THE BASIC THEORY

The first case is treated in Theorem 2.30 and is called additive reduction. The second case is split multiplicative reduction and is covered by Theorem 2.31(1). In the third case, α
∈ F11 , so we are in the situation of Theorem 2.31(2). This is called nonsplit multiplicative reduction. For all primes p ≥ 13, the cubic polynomial has distinct roots mod p, so E mod p is nonsingular. This situation is called good reduction.

2.11 Elliptic Curves mod n In a few situations, we’ll need to work with elliptic curves mod n, where n is composite. We’ll also need to take elliptic curves over Q and reduce them mod n, where n is an integer. Both situations are somewhat subtle, as the following three examples show. Example 2.7 Let E be given by

y 2 = x3 − x + 1

(mod 52 ).

Suppose we want to compute (1, 1) + (21, 4). The slope of the line through the two points is 3/20. The denominator is not zero mod 25, but it is also not invertible. Therefore the slope is neither infinite nor finite mod 25. If we compute the sum using the formulas for the group law, the x-coordinate of the sum is
2 3 − 1 − 21 ≡ ∞ (mod 25). 20 But (1, 1) + (1, 24) = ∞, so we cannot also have (1, 1) + (21, 4) = ∞. Example 2.8 Let E be given by

y 2 = x3 − x + 1 (mod 35).

Suppose we want to compute (1, 1) + (26, 24). The slope is 23/25, which is infinite mod 5 but finite mod 7. Therefore, the formulas for the sum yield a point that is ∞ mod 5 but is finite mod 7. In a sense, the point is partially at ∞. We cannot express it in affine coordinates mod 35. One remedy is to use the Chinese Remainder Theorem to write E(Z35 ) = E(Z5 ) ⊕ E(Z7 ) and then work mod 5 and mod 7 separately. This strategy works well in the present case, but it doesn’t help in the previous example.

SECTION 2.11 ELLIPTIC CURVES MOD N

Example 2.9 Let E be given by

65

y 2 = x3 + 3x − 3

over Q. Suppose we want to compute (1, 1) + (

571 16379 , ). 361 6859

Since the points are distinct, we compute the slope of the line through them in the usual way. This allows us to find the sum. Now consider E mod 7. The two points are seen to be congruent mod 7, so the line through them mod 7 is the tangent line. Therefore, the formula we use to add the points mod 7 is different from the one used in Q. Suppose we want to show that the reduction map from E(Q) to E(F7 ) is a homomorphism. At first, it would seem that this is obvious, since we just take the formulas for the group law over Q and reduce them mod 7. But the present example says that sometimes we are using different formulas over Q and mod 7. A careful analysis shows that this does not cause problems, but it should be clear that the reduction map is more subtle than one might guess. The remedy for the above problems is to develop a theory of elliptic curves over rings. We follow [74]. The reader willing to believe Corollaries 2.32, 2.33, and 2.34 can safely skip the details in this section. Let R be a ring (always assumed to be commutative with 1). A tuple of elements (x1 , x2 , . . . ) from R is said to be primitive if there exist elements r1 , r2 , · · · ∈ R such that r1 x1 + r2 x2 + · · · = 1. When R = Z, this means that gcd(x1 , x2 , . . . ) = 1. When R = Zn , primitivity means that gcd(n, x1 , x2 , . . . ) = 1. When R is a field, primitivity means that at least one of the xi is nonzero. In general, primitivity means that the ideal generated by x1 , x2 , . . . is R. We say that two primitive triples (x, y, z) and (x
, y
, z
) are equivalent if there exists a unit u ∈ R× such that (x
, y
, z
) = (ux, uy, uz) (in fact, it follows easily from the existence of r, s, t with rx
+ sy
+ tz
= 1 that any u satisfying this equation must be a unit). Define 2-dimensional projective space over R to be P2 (R) = {(x, y, z) ∈ R3 | (x, y, z) is primitive} mod equivalence. The equivalence class of (x, y, z) is denoted by (x : y : z). If R is a field, P2 (R) is the same as that defined in Section 2.3. If (x : y : z) ∈ P2 (Q), we can multiply by a suitable rational number to clear

66

CHAPTER 2

THE BASIC THEORY

denominators and remove common factors from the numerators and therefore obtain a triple of integers with gcd=1. Therefore, P2 (Q) and P2 (Z) will be regarded as equal. Similarly, if R is a ring with Z ⊆ R ⊆ Q, then P2 (R) = P2 (Z). In order to work with elliptic curves over R, we need to impose two conditions on R. 1. 2 ∈ R× 2. If (aij ) is an m × n matrix such that (a11 , a12 , . . . , amn ) is primitive and such that all 2×2 subdeterminants vanish (that is, aij ak −ai akj = 0 for all i, j, k, ), then some R-linear combination of the rows is a primitive n-tuple. The first condition is needed since we’ll be working with the Weierstrass equation. In fact, we should add the condition that 3 ∈ R× if we want to change an arbitrary elliptic curve into Weierstrass form. Note that Z does not satisfy the first condition. This can be remedied by working with Z(2) = {

x | x ∈ Z, k ≥ 0}. 2k

This is a ring. As pointed out above, P2 (Z(2) ) equals P2 (Z), so the introduction of Z(2) is a minor technicality. The second condition is perhaps best understood when R is a field. In this case, the primitivity of the matrix simply means that at least one entry is nonzero. The vanishing of the 2 × 2 subdeterminants says that the rows are proportional to each other. The conclusion is that some linear combination of the rows (in this case, some row itself) is a nonzero vector. When R = Z, the primitivity of the matrix means that the gcd of the elements in the matrix is 1. Since the rows are assumed to be proportional, there is a vector v and integers a1 , . . . , am such that the ith row is ai v. The m-tuple (a1 , . . . , am ) must be primitive since the gcd of its entries divides the gcd of the entries of the matrix. Therefore, there is a linear combination of the ai ’s that equals 1. This means that some linear combination of the rows of the matrix is v. The vector v is primitive since the gcd of its entries divides the gcd of the entries of the matrix. Therefore, we have obtained a primitive vector as a linear combination of the rows of the matrix. This shows that Z satisfies the second condition. The same argument, slightly modified to handle powers of 2, shows that Z(2) also satisfies the second condition. In general, condition 2 says that projective modules over R of rank 1 are free (see [74]). In particular, this holds for local rings, for finite rings, and for Z(2) . These suffice for our purposes.

SECTION 2.11 ELLIPTIC CURVES MOD N

67

For the rest of this section, assume R is a ring satisfying 1 and 2. An elliptic curve E over R is given by a homogeneous equation y 2 z = x3 + Axz 2 + Bz 3 with A, B ∈ R such that 4A3 + 27B 2 ∈ R× . Define E(R) = {(x : y : z) ∈ P2 (R) | y 2 z = x3 + Axz 2 + Bz 3 }. The addition law is defined in essentially the same manner as in Section 2.2, but the formulas needed are significantly more complicated. To make a long story short (maybe not so short), the answer is the following. GROUP LAW Let (xi : yi : zi ) ∈ E(R) for i = 1, 2. Consider the following three sets of equations: I. x
3 = (x1 y2 − x2 y1 )(y1 z2 + y2 z1 ) + (x1 z2 − x2 z1 )y1 y2 −A(x1 z2 + x2 z1 )(x1 z2 − x2 z1 ) − 3B(x1 z2 − x2 z1 )z1 z2 y3
= −3x1 x2 (x1 y2 − x2 y1 ) − y1 y2 (y1 z2 − y2 z1 ) − A(x1 y2 − x2 y1 )z1 z2 +A(x1 z2 + x2 z1 )(y1 z2 − y2 z1 ) + 3B(y1 z2 − y2 z1 )z1 z2
z3 = 3x1 x2 (x1 z2 − x2 z1 ) − (y1 z2 + y2 z1 )(y1 z2 − y2 z1 ) +A(x1 z2 − x2 z1 )z1 z2 II. x

3 = y1 y2 (x1 y2 + x2 y1 ) − Ax1 x2 (y1 z2 + y2 z1 ) −A(x1 y2 + x2 y1 )(x1 z2 + x2 z1 ) − 3B(x1 y2 + x2 y1 )z1 z2 −3B(x1 z2 + x2 z1 )(y1 z2 + y2 z1 ) + A2 (y1 z2 + y2 z1 )z1 z2 y3

= y12 y22 + 3Ax21 x22 + 9Bx1 x2 (x1 z2 + x2 z1 ) −A2 x1 z2 (x1 z2 + 2x2 z1 ) − A2 x2 z1 (2x1 z2 + x2 z1 ) −3ABz1 z2 (x1 z2 + x2 z1 ) − (A3 + 9B 2 )z12 z22

z3

= 3x1 x2 (x1 y2 + x2 y1 ) + y1 y2 (y1 z2 + y2 z1 ) + A(x1 y2 + x2 y1 )z1 z2 +A(x1 z2 + x2 z1 )(y1 z2 + y2 z1 ) + 3B(y1 z2 + y2 z1 )z1 z2

III. x


3 = (x1 y2 + x2 y1 )(x1 y2 − x2 y1 ) + Ax1 x2 (x1 z2 − x2 z1 ) +3B(x1 z2 + x2 z1 )(x1 z2 − x2 z1 ) − A2 (x1 z2 − x2 z1 )z1 z2 y3


= (x1 y2 − x2 y1 )y1 y2 − 3Ax1 x2 (y1 z2 − y2 z1 ) +A(x1 y2 + x2 y1 )(x1 z2 − x2 z1 ) + 3B(x1 y2 − x2 y1 )z1 z2 −3B(x1 z2 + x2 z1 )(y1 z2 − y2 z1 ) + A2 (y1 z2 − y2 z1 )z1 z2

68

CHAPTER 2

THE BASIC THEORY

z3


= −(x1 y2 + x2 y1 )(y1 z2 − y2 z1 ) − (x1 z2 − x2 z1 )y1 y2 −A(x1 z2 + x2 z1 )(x1 z2 − x2 z1 ) − 3B(x1 z2 − x2 z1 )z1 z2 ⎛

⎞ x
3 y3
z3
⎝ x

3 y3

z3

⎠





x


3 y 3 z3

Then the matrix

is primitive and all 2 × 2 subdeterminants vanish. Take a primitive R-linear combination (x3 , y3 , z3 ) of the rows. Define (x1 : y1 : z1 ) + (x2 : y2 : z2 ) = (x3 : y3 : z3 ). Also, define −(x1 : y1 : z1 ) = (x1 : −y1 : z1 ). Then E(R) is an abelian group under this definition of point addition. The identity element is (0 : 1 : 0). For some of the details concerning this definition, see [74]. The equations are deduced (with a slight correction) from those in [18]. A similar set of equations is given in [72]. When R is a field, each of these equations can be shown to give the usual group law when the output is a point in P2 (R) (that is, not all three coordinates vanish). If two or three of the equations yield points in P2 (R), then these points are equal (since the 2 × 2 subdeterminants vanish). If R is a ring, then it is possible that each of the equations yields a nonprimitive output (for example, perhaps 5 divides the output of I, 7 divides the output of II, and 11 divides the output of III). If we are working with Z or Z(2) , this is no problem. Simply divide by the gcd of the entries in an output. But in an arbitrary ring, gcd’s might not exist, so we must take a linear combination to obtain a primitive vector, and hence an element in P2 (R). Example 2.10 Let R = Z25 and let E be given by y 2 = x3 − x + 1

(mod 52 ).

Suppose we want to compute (1, 1) + (21, 4), as in Example 2.7 above. Write the points in homogeneous coordinates as (x1 : y1 : z1 ) = (1 : 1 : 1),

(x2 : y2 : z2 ) = (21 : 4 : 1).

Formulas I, II, III yield (x
3 , y3
, z3
) = (5, 23, 0) (x

3 , y3

, z3

) = (5, 8, 0)







(x


3 , y3 , z3 ) = (20, 12, 0),

SECTION 2.11 ELLIPTIC CURVES MOD N

69

respectively. Note that these are all the same point in P2 (Z25 ) since (5, 23, 0) = 6(5, 8, 0) = 4(20, 12, 0). If we reduce the point (5 : 8 : 0) mod 5, we obtain (0 : 3 : 0) = (0 : 1 : 0), which is the point ∞. The fact that the point is at infinity mod 5 but not mod 25 is what caused the difficulties in our calculations in Example 2.7. Example 2.11 Let E be an elliptic curve. Suppose we use the formulas to calculate (0 : 1 : 0) + (0 : 1 : 0). Formulas I, II, III yield (0, 0, 0),

(0, 1, 0),

(0, 0, 0),

respectively. The first and third outputs do not yield points in projective space. The second says that (0 : 1 : 0) + (0 : 1 : 0) = (0 : 1 : 0). This is of course the rule ∞ + ∞ = ∞ from the usual group law on elliptic curves. The present version of the group law allows us to work with elliptic curves over rings in theoretical settings. We give three examples. COROLLARY 2.32 Let n1 and n2 be odd integers with gcd(n1 , n2 ) = 1. Let E be an elliptic curve defined over Zn1 n2 . Then there is a group isomorphism E(Zn1 n2 )  E(Zn1 ) ⊕ E(Zn2 ). PROOF Suppose that E is given by y 2 z = x3 + Axz 2 + Bz 3 with A, B ∈ Zn1 n2 and 4A3 + 27B 2 ∈ Z× n1 n2 . Then we can regard A and B as elements of Zni and we have 4A3 + 27B 2 ∈ Z× ni . Therefore, we can regard E as an elliptic curve over Zni , so the statement of the corollary makes sense. The Chinese remainder theorem says that there is an isomorphism of rings Zn1 n2  Zn1 ⊕ Zn2 given by x mod n1 n2 ←→ (x mod n1 , x mod n2 ) .

70

CHAPTER 2

THE BASIC THEORY

This yields a bijection between triples in Zn1 n2 and pairs of triples, one in Zn1 and one in Zn2 . It is not hard to see that primitive triples for Zn1 n2 correspond to pairs of primitive triples in Zn1 and Zn2 . Moreover, y 2 z ≡ x3 + Axz 2 + Bz 3 ⇐⇒

(mod n1 n2 )

y 2 z ≡ x3 + Axz 2 + Bz 3 y 2 z ≡ x3 + Axz 2 + Bz 3

(mod n1 ) (mod n2 )

Therefore, there is a bijection ψ : E(Zn1 n2 ) −→ E(Zn1 ) ⊕ E(Zn2 ). It remains to show that ψ is a homomorphism. Let P1 , P2 ∈ E(Zn1 n2 ) and let P3 = P1 + P2 . This means that there is a linear combination of the outputs of formulas I, II, III that is primitive and yields P3 . Reducing all of these calculations mod ni (for i = 1, 2) yields exactly the same result, namely the primitive point P3 (mod ni ) is the sum of P1 (mod ni ) and P2 (mod ni ). This means that ψ(P3 ) = ψ(P1 ) + ψ(P2 ), so ψ is a homomorphism. COROLLARY 2.33 Let E be an elliptic curve over Q given by y 2 = x3 + Ax + B with A, B ∈ Z. Let n be a positive odd integer such that gcd(n, 4A3 +27B 2 ) = 1. Represent the elements of E(Q) as primitive triples (x : y : z) ∈ P2 (Z). The map redn : E(Q) −→ E(Zn ) (x : y : z) → (x : y : z) (mod n) is a group homomorphism. PROOF If P1 , P2 ∈ E(Q) and P1 + P2 = P3 , then P3 is a primitive point that can be expressed as a linear combination of the outputs of formulas I, II, III. Reducing all of the calculations mod n yields the result. Corollary 2.33 can be generalized as follows. COROLLARY 2.34 Let R be a ring and let I be an ideal of R. Assume that both R and R/I satisfy conditions (1) and (2) on page 66. Let E be given by y 2 z = x3 + Axz 2 + Bz 3

EXERCISES

71

with A, B ∈ R and assume there exists r ∈ R such that (4A3 + 27B 2 )r − 1 ∈ I. Then the map redI : E(R) −→ E(R/I) (x : y : z) → (x : y : z) mod I is a group homomorphism. PROOF The proof is the same as for Corollary 2.33, with R in place of Z and mod I in place of mod n. The condition that (4A3 + 27B 2 )r − 1 ∈ I for some r is the requirement that 4A3 + 27B 2 is a unit in R/I, which was required in the definition of an elliptic curve over the ring R/I.

Exercises 2.1 (a) Show that the constant term of a monic cubic polynomial is the negative of the product of the roots. (b) Use (a) to derive the formula for the sum of two distinct points P1 , P2 in the case that the x-coordinates x1 and x2 are nonzero, as in Section 2.2. Note that when one of these coordinates is 0, you need to divide by zero to obtain the usual formula. 2.2 The point (3, 5) lies on the elliptic curve E : y 2 = x3 − 2, defined over Q. Find a point (not ∞) with rational, nonintegral coordinates in (Q). 2.3 The points P = (2, 9), Q = (3, 10), and R = (−4, −3) lie on the elliptic curve E : y 2 = x3 + 73. (a) Compute P + Q and (P + Q) + R. (b) Compute Q + R and P + (Q + R). Your answer for P + (Q + R) should agree with the result of part (a). However, note that one computation used the doubling formula while the other did not use it. 2.4 Let E be the elliptic curve y 2 = x3 − 34x + 37 defined over Q. Let P = (1, 2) and Q = (6, 7). (a) Compute P + Q.

72

CHAPTER 2

THE BASIC THEORY

(b) Note that P ≡ Q (mod 5). Compute 2P on E mod 5. Show that the answer is the same as (P +Q) mod 5. Observe that since P ≡ Q, the formula for adding the points mod 5 is not the reduction of the formula for adding P +Q. However, the answers are the same. This shows that the fact that reduction mod a prime is a homomorphism is subtle, and this is the reason for the complicated formulas in Section 2.11. 2.5 Let (x, y) be a point on the elliptic curve E given by y 2 = x3 + Ax + B. Show that if y = 0 then 3x2 + A = 0. (Hint: What is the condition for a polynomial to have x as a multiple root?) 2.6 Show that three points on an elliptic curve add to ∞ if and only if they are collinear.
 2.7 Let C be the curve u2 + v 2 = c2 1 + du2 v 2 , as in Section 2.6.3. Show that the point (c, 0) has order 4. 2.8 Show that the method at the end of Section 2.2 actually computes kP . (Hint: Use induction on the length of the binary expansion of k. If k = k0 + 2k1 + 4k2 + · · · + 2
a
, assume the result holds for k
= k0 + 2k1 + 4k2 + · · · + 2
−1 a
−1 .) 2.9 If P = (x, y) = ∞ is on the curve described by (2.1), then −P is the other finite point of intersection of the curve and the vertical line through P . Show that −P = (x, −a1 x − a3 − y). (Hint: This involves solving a quadratic in y. Note that the sum of the roots of a monic quadratic polynomial equals the negative of the coefficient of the linear term.) 2.10 Let R be the real numbers. Show that the map (x, y, z) → (x : y : z) gives a two-to-one map from the sphere x2 + y 2 + z 2 = 1 in R3 to P2R . Since the sphere is compact, this shows that P2R is compact under the topology inherited from the sphere (a set is open in P2R if and only if its inverse image is open in the sphere). 2.11 (a) Show that two lines a1 x + b1 y + c1 z = 0 and a2 x + b2 y + c2 z = 0 in two-dimensional projective space have a point of intersection. (b) Show that there is exactly one line through two distinct given points in P2K . 2.12 Suppose that the matrix

⎞ a1 b1 M = ⎝ a2 b2 ⎠ a3 b3 ⎛

has rank 2. Let (a, b, c) be a nonzero vector in the left nullspace of M , so (a, b, c)M = 0. Show that the parametric equations x = a1 u + b1 v,

y = a2 u + b2 v,

z = a3 u + b3 v,

EXERCISES

73

describe the line ax + by + cz = 0 in P2K . (It is easy to see that the points (x : y : z) lie on the line. The main point is that each point on the line corresponds to a pair (u, v).) 2.13 (a) Put the Legendre equation y 2 = x(x − 1)(x − λ) into Weierstrass form and use this to show that the j-invariant is j = 28

(λ2 − λ + 1)3 . λ2 (λ − 1)2

(b) Show that if j = 0, 1728 then there are six distinct values of λ giving this j, and that if λ is one such value then the full set is 1 λ λ−1 1 , , }. {λ, , 1 − λ, λ 1−λ λ−1 λ (c) Show that if j = 1728 then λ = −1, 2, 1/2, and if j = 0 then λ2 − λ + 1 = 0. 2.14 Consider the equation u2 − v 2 = 1, and the point (u0 , v0 ) = (1, 0). (a) Use the method of Section 2.5.4 to obtain the parameterization u=

m2 + 1 , m2 − 1

v=

2m . m2 − 1

(b) Show that the projective curve u2 − v 2 = w2 has two points at infinity, (1 : 1 : 0) and (1 : −1 : 0). (c) The parameterization obtained in (a) can be written in projective coordinates as (u : v : w) = (m2 + 1 : 2m : m2 − 1) (or (m2 + n2 : 2mn : m2 − n2 ) in a homogeneous form). Show that the values m = ±1 correspond to the two points at infinity. Explain why this is to be expected from the graph (using real numbers) of u2 −v 2 = 1. (Hint: Where does an asymptote intersect a hyperbola?) 2.15 Suppose (u0 , v0 , w0 ) = (u0 , 0, 0) lies in the intersection au2 + bv 2 = e,

cu2 + dw2 = f.

(a) Show that the procedure of Section 2.5.4 leads to an equation of the form “square = degree 2 polynomial in m.” (b) Let F = au2 + bv2 = e and G = cu2 + dw2 = f . Show that the Fu Fv Fw Jacobian matrix at (u0 , 0, 0) has rank 1. Since the Gu Gv Gw rank is less than 2, this means that the point is a singular point. 2.16 Show that the cubic equation x3 + y 3 = d can be transformed to the elliptic curve y12 = x31 − 432d2 .

74

CHAPTER 2

THE BASIC THEORY

2.17 (a) Show that (x, y) → (x, −y) is a group homomorphism from E to itself, for any elliptic curve in Weierstrass form. (b) Show that (x, y) → (ζx, −y), where ζ is a nontrivial cube root of 1, is an automorphism of the elliptic curve y 2 = x3 + B. (c) Show that (x, y) → (−x, iy), where i2 = −1, is an automorphism of the elliptic curve y 2 = x3 + Ax. 2.18 Let K have characteristic 3 and let E be defined by y 2 = x3 + a2 x2 + a4 x + a6 . The j-invariant in this case is defined to be j=

a62 a22 a24 − a32 a6 − a34

(this formula is false if the characteristic is not 3). (a) Show that either a2 = 0 or a4 = 0 (otherwise, the cubic has a triple root, which is not allowed). (b) Show that if a2 = 0, then the change of variables x1 = x − (a4 /a2 ) yields an equation of the form y12 = x31 + a
2 x21 + a
6 . This means that we may always assume that exactly one of a2 and a4 is 0. (c) Show that if two elliptic curves y 2 = x3 + a2 x2 + a6 and y 2 = × x3 + a
2 x2 + a
6 have the same j-invariant, then there exists µ ∈ K such that a
2 = µ2 a2 and a
6 = µ6 a6 .

(d) Show that if y 2 = x3 + a4 x + a6 and y 2 = x3 + a
4 x2 + a
6 are two elliptic curves (in characteristic 3), then there is a change of × variables y → ay, x → bx + c, with a, b ∈ K and c ∈ K, that changes one equation into the other.

(e) Observe that if a2 = 0 then j = 0 and if a4 = 0 then j = −a32 /a6 . Show that every element of K appears as the j-invariant of a curve defined over K. (f) Show that if two curves have the same j-invariant then there is a change of variables over K that changes one into the other. 2.19 Let α(x, y) = (p(x)/q(x), y ·s(x)/t(x)) be an endomorphism of the elliptic curve E given by y 2 = x3 + Ax + B, where p, q, s, t are polynomials such that p and q have no common root and s and t have no common root. (a) Using the fact that (x, y) and α(x, y) lie on E, show that (x3 + Ax + B) s(x)2 u(x) = t(x)2 q(x)3 for some polynomial u(x) such that q and u have no common root. (Hint: Show that a common root of u and q must also be a root of p.)

EXERCISES

75

(b) Suppose t(x0 ) = 0. Use the facts that x3 + Ax + B has no multiple roots and all roots of t2 are multiple roots to show that q(x0 ) = 0. This shows that if q(x0 ) = 0 then α(x0 , y0 ) is defined. 2.20 Consider the singular curve y 2 = x3 + ax2 with a = 0. Let y = mx be a line through (0, 0). Show that the line always intersects the curve 2 to order at least 2, and show that the order is 3 exactly √ when m = a. This may be interpreted as saying that the lines y = ± ax are the two tangents to the curve at (0, 0). 2.21 (a) Apply the method of Section 2.5.4 to the circle u2 + v 2 = 1 and the point (−1, 0) to obtain the parameterization u=

1 − t2 , 1 + t2

v=

2t . 1 + t2

(b) Suppose x, y, z are integers such that x2 + y 2 = z 2 , gcd(x, y, z) = 1, and x is even. Use (a) to show that there are integers m, n such that x = 2mn, y = m2 − n2 , z = m2 + n2 . Also, show that gcd(x, y, z) = 1 implies that gcd(m, n) = 1 and that m ≡ n (mod 2). 2.22 Let p(x) and q(x) be polynomials with no common roots. Show that   d p(x) =0 dx q(x) (that is, the identically 0 rational function) if and only if both p
(x) = 0 and q
(x) = 0. (If p or q is nonconstant, then this can happen only in positive characteristic.) 2.23 Let E be given by y 2 = x3 + Ax + B over a field K and let d ∈ K × . The twist of E by d is the elliptic curve E (d) given by y 2 = x3 +Ad2 x+Bd3 . (a) Show that j(E (d) ) = j(E).

√ (b) Show that E (d) can be transformed into E over K( d). (c) Show that E (d) can be transformed over K to the form dy12 = x31 + Ax1 + B. 2.24 Let α, β ∈ Z be such that gcd(α, β) = 1. Assume that α ≡ −1 (mod 4) and β ≡ 0 (mod 32). Let E be given by y 2 = x(x − α)(x − β). (a) Let p be prime. Show that the cubic polynomial x(x − α)(x − β) cannot have a triple root mod p.

76

CHAPTER 2

THE BASIC THEORY

(b) Show that the substitution x = 4x1 ,

y = 8y1 + 4x1

changes E into E1 , given by y12 + x1 y1 = x31 +

−β − α − 1 2 αβ x1 + x1 . 4 16

(c) Show that the reduction mod 2 of the equation for E1 is y12 + x1 y1 = x31 + ex21 for some e ∈ F2 . This curve is singular at (0, 0). (d) Let γ be a constant and consider the line y1 = γx1 . Show that if γ 2 + γ = e, then the line intersects the curve in part (c) to order 3, and if γ 2 + γ = e then this line intersects the curve to order 2. (e) Show that there are two distinct values of γ ∈ F2 such that γ 2 +γ = e. This implies that there are two distinct tangent lines to the curve E1 mod 2 at (0,0), as in Exercise 2.20. We take the property of part (e) to be the definition of multiplicative reduction in characteristic 2. Therefore, parts (a) and (e) show that the curve E1 has good or multiplicative reduction at all primes. A semistable elliptic curve over Q is one that has good or multiplicative reduction at all primes, possibly after a change of variables (over Q) such as the one in part (b). Therefore, E is semistable. See Section 15.1 for a situation where this fact is used.

Chapter 3 Torsion Points The torsion points, namely those whose orders are finite, play an important role in the study of elliptic curves. We’ll see this in Chapter 4 for elliptic curves over finite fields, where all points are torsion points, and in Chapter 8, where we use 2-torsion points in a procedure known as descent. In the present chapter, we first consider the elementary cases of 2- and 3-torsion, then determine the general situation. Finally, we discuss the important Weil and Tate-Lichtenbaum pairings.

3.1 Torsion Points Let E be an elliptic curve defined over a field K. Let n be a positive integer. We are interested in E[n] = {P ∈ E(K) | nP = ∞} (recall that K = algebraic closure of K). We emphasize that E[n] contains points with coordinates in K, not just in K. When the characteristic of K is not 2, E can be put in the form y 2 = cubic, and it is easy to determine E[2]. Let y 2 = (x − e1 )(x − e2 )(x − e3 ), with e1 , e2 , e3 ∈ K. A point P satisfies 2P = ∞ if and only if the tangent line at P is vertical. It is easy to see that this means that y = 0, so E[2] = {∞, (e1 , 0), (e2 , 0), (e3 , 0)}. As an abstract group, this is isomorphic to Z2 ⊕ Z2 . The situation in characteristic 2 is more subtle. In Section 2.8 we showed that E can be assumed to have one of the following two forms: (I) y 2 + xy + x3 + a2 x2 + a6 = 0

or

(II) y 2 + a3 y + x3 + a4 x + a6 = 0. 77

78

CHAPTER 3

TORSION POINTS

In the first case, a6 = 0 and in the second case, a3 = 0 (otherwise the curves would be singular). If P = (x, y) is a point of order 2, then the tangent at P must be vertical, which means that the partial derivative with respect to y must vanish. In case I, this means that x = 0. Substitute x = 0 into (I) √ √ to obtain 0 = y 2 + a6 = (y + a6 )2 . Therefore (0, a6 ) is the only point of order 2 (square roots are unique in characteristic 2), so √ E[2] = {∞, (0, a6 )}. As an abstract group, this is isomorphic to Z2 . In case II, the partial derivative with respect to y is a3 = 0. Therefore, there is no point of order 2, so E[2] = {∞}. We summarize the preceding discussion as follows. PROPOSITION 3.1 Let E be an elliptic curve over a field K. If the characteristic of K is not 2, then E[2] Z2 ⊕ Z2 . If the characteristic of K is 2, then E[2] 0 or Z2 . Now let’s look at E[3]. Assume first that the characteristic of K is not 2 or 3, so that E can be given by the equation y 2 = x3 + Ax + B. A point P satisfies 3P = ∞ if and only if 2P = −P . This means that the x-coordinate of 2P equals the x-coordinate of P (the y-coordinates therefore differ in sign; of course, if they were equal, then 2P = P , hence P = ∞). In equations, this becomes 3x2 + A . m2 − 2x = x, where m = 2y Using the fact that y 2 = x3 + Ax + B, we find that (3x2 + A)2 = 12x(x3 + Ax + B). This simplifies to

3x4 + 6Ax2 + 12Bx − A2 = 0.

The discriminant of this polynomial is −6912(4A3 +27B 2 )2 , which is nonzero. Therefore the polynomial has no multiple roots. There are 4 distinct values of x (in K), and each x yields two values of y, so we have eight points of order 3. Since ∞ is also in E[3], we see that E[3] is a group of order 9 in which every element is 3-torsion. It follows that E[3] Z3 ⊕ Z3 .

79

SECTION 3.1 TORSION POINTS

The case where K has characteristic 2 is Exercise 3.2. Now let’s look at characteristic 3. We may assume that E has the form y 2 = x3 + a2 x2 + a4 x + a6 . Again, we want the x-coordinate of 2P to equal the x-coordinate of P . We calculate the x-coordinate of 2P by the usual procedure and set it equal to the x-coordinate x of P . Some terms disappear because 3 = 0. We obtain  2 2a2 x + a4 − a2 = 3x = 0. 2y This simplifies to (recall that 4 = 1) a2 x3 + a2 a6 − a24 = 0. 1/3

Note that we cannot have a2 = a4 = 0 since then x3 + a6 = (x + a6 )3 has multiple roots, so at least one of a2 , a4 is nonzero. If a2 = 0, then we have −a24 = 0, which cannot happen, so there are no values of x. Therefore E[3] = {∞} in this case. If a2 = 0, then we obtain an equation of the form a2 (x3 + a) = 0, which has a single triple root in characteristic 3. Therefore, there is one value of x, and two corresponding values of y. This yields 2 points of order 3. Since there is also the point ∞, we see that E[3] has order 3, so E[3] Z3 as abstract groups. The general situation is given by the following. THEOREM 3.2 Let E be an elliptic curve over a field K and let n be a positive integer. If the characteristic of K does not divide n, or is 0, then E[n] Zn ⊕ Zn . If the characteristic of K is p > 0 and p|n, write n = pr n
with p
n
. Then E[n] Zn
⊕ Zn


or

Zn ⊕ Zn
.

The theorem will be proved in Section 3.2. An elliptic curve E in characteristic p is called ordinary if E[p] Zp . It is called supersingular if E[p] 0. Note that the terms “supersingular” and “singular” (as applied to bad points on elliptic curves) are unrelated. In the theory of complex multiplication (see Chapter 10), the “singular” jinvariants are those corresponding to elliptic curves with endomorphism rings larger than Z, and the “supersingular” j-invariants are those corresponding to elliptic curves with the largest possible endomorphism rings, namely, orders in quaternion algebras. Let n be a positive integer not divisible by the characteristic of K. Choose a basis {β1 , β2 } for E[n] Zn ⊕Zn . This means that every element of E[n] is

80

CHAPTER 3

TORSION POINTS

expressible in the form m1 β1 + m2 β with integers m1 , m2 . Note that m1 , m2 are uniquely determined mod n. Let α : E(K) → E(K) be a homomorphism. Then α maps E[n] into E[n]. Therefore, there are a, b, c, d ∈ Zn such that α(β1 ) = aβ1 + cβ2 ,

α(β2 ) = bβ1 + dβ2 .

Therefore each homomorphism α : E(K) → E(K) is represented by a 2 × 2 matrix   ab . αn = cd Composition of homomorphisms corresponds to multiplication of the corresponding matrices. In many cases, the homomorphism α will be taken to be an endomorphism, which means that it is given by rational functions (see Section 2.9). But α can also come from an automorphism of K that fixes K. This leads to the important subject of representations of Galois groups (that is, homomorphisms from Galois groups to groups of matrices). Example 3.1 Let E be the elliptic curve defined over R by y 2 = x3 − 2, and let n = 2. Then E[2] = {∞, (21/3 , 0), (ζ21/3 , 0), (ζ 2 21/3 , 0)}, where ζ is a nontrivial cube root of unity. Let β1 = (21/3 , 0),

β2 = (ζ21/3 , 0).

Then {β1 , β2 } is a basis for E[2], and β3 = (ζ 2 21/3 , 0) = β1 + β2 . Let α : E(C) → E(C) be complex conjugation: α(x, y) = (x, y), where the bar denotes complex conjugation. It is easy to verify that α is a homomorphism. In fact, since all the coefficients of the formulas for the group law have real coefficients, we have P1 + P2 = P1 + P2 . This is the same as α(P1 ) + α(P2 ) = α(P1 + P2 ). We have α(β1 ) = 1 · β1 + 0 · β2 ,

α(β2 ) = β3 = 1 · β1 + 1 · β2 .   11 Therefore we obtain the matrix α2 = . Note that α ◦ α is the identity, 01 which corresponds to the fact that α22 is the identity matrix mod 2.

3.2 Division Polynomials The goal of this section is to prove Theorem 3.2. We’ll also obtain a few other results that will be needed in proofs in Section 4.2.

SECTION 3.2 DIVISION POLYNOMIALS

81

In order to study the torsion subgroups, we need to describe the map on an elliptic curve given by multiplication by an integer. As in Section 2.9, this is an endomorphism of the elliptic curve and can be described by rational functions. We shall give formulas for these functions. We start with variables A, B. Define the division polynomials ψm ∈ Z[x, y, A, B] by ψ0 = 0 ψ1 = 1 ψ2 = 2y ψ3 = 3x4 + 6Ax2 + 12Bx − A2 ψ4 = 4y(x6 + 5Ax4 + 20Bx3 − 5A2 x2 − 4ABx − 8B 2 − A3 ) 3 3 ψ2m+1 = ψm+2 ψm − ψm−1 ψm+1 for m ≥ 2 −1 2 2 ψ2m = (2y) (ψm )(ψm+2 ψm−1 − ψm−2 ψm+1 ) for m ≥ 3.

LEMMA 3.3 ψn is a polynomial in Z[x, y 2 , A, B] when n is odd, and ψn is a polynomial in 2yZ[x, y 2 , A, B] when n is even. PROOF The lemma is true for n ≤ 4. Assume, by induction, that it holds for all n < 2m. We may assume that 2m > 4, so m > 2. Then 2m > m + 2, so all polynomials appearing in the definition of ψ2m satisfy the induction assumptions. If m is even, then ψm , ψm+2 , ψm−2 are in 2yZ[x, y 2 , A, B], from which it follows that ψ2m is in 2yZ[x, y 2 , A, B]. If m is odd, then ψm−1 and ψm+1 are in 2yZ[x, y 2 , A, B], so again we find that ψ2m is in 2yZ[x, y 2 , A, B]. Therefore, the lemma holds for n = 2m. Similarly, it holds for n = 2m + 1.

Define polynomials 2 φm = xψm − ψm+1 ψm−1

2 2 ωm = (4y)−1 (ψm+2 ψm−1 − ψm−2 ψm+1 ).

LEMMA 3.4 φn ∈ Z[x, y 2 , A, B] for all n. If n is odd, then ωn ∈ yZ[x, y 2 , A, B]. If n is even, then ωn ∈ Z[x, y 2 , A, B]. PROOF If n is odd, then ψn+1 and ψn−1 are in yZ[x, y 2 , A, B], so their product is in Z[x, y 2 , A, B]. Therefore, φn ∈ Z[x, y 2 , A, B]. If n is even, the proof is similar. The facts that y −1 ωn ∈ Z[x, y 2 , A, B] for odd n and ωn ∈ 12 Z[x, y 2 , A, B] for even n follow from Lemma 3.3, and these are all that we need for future

82

CHAPTER 3

TORSION POINTS

applications. However, to get rid of the extra 2 in the denominator, we proceed as follows. Induction (treating separately the various possibilities for n mod 4) shows that 2

ψn ≡ (x2 + A)(n and (2y)−1 ψn ≡

n

2

−1)/4

2

(x2 + A)(n

(mod 2)

−4)/4

when n is odd

(mod 2)

when n is even.

A straightforward calculation now yields the lemma. We now consider an elliptic curve E:

y 2 = x3 + Ax + B,

4A3 + 27B 2 = 0.

We don’t specify what ring or field the coefficients A, B are in, so we continue to treat them as variables. We regard the polynomials in Z[x, y 2 , A, B] as polynomials in Z[x, A, B] by replacing y 2 with x3 + Ax + B. Therefore, we write φn (x) and ψn2 (x). Note that ψn is not necessarily a polynomial in x alone, while ψn2 is always a polynomial in x. LEMMA 3.5 2

φn (x) = xn + lower degree terms 2

ψn2 (x) = n2 xn PROOF

−1

+ lower degree terms

In fact, we claim that  2 y(nx(n −4)/2 + · · · ) if n is even ψn = 2 nx(n −1)/2 + · · · if n is odd.

This is proved by induction. For example, if n = 2m + 1 with m even, then 3 is the leading term of ψm+2 ψm (m + 2)m3 y 4 x

2 (m+2)2 −4 + 3m 2−12 2

Changing y 4 to (x3 + Ax + B)2 yields (m + 2)m3 x

(2m+1)2 −1 2

.

3 is Similarly, the leading term of ψm−1 ψm+1

(m − 1)(m + 1)3 x

(2m+1)2 −1 2

.

.

SECTION 3.2 DIVISION POLYNOMIALS

83

Subtracting and using the recursion relation shows that the leading term of ψ2m+1 is as claimed in the lemma. The other cases are treated similarly. We can now state the main theorem. THEOREM 3.6 Let P = (x, y) be a point on the elliptic curve y 2 = x3 + Ax + B (over some field of characteristic not 2), and let n be a positive integer. Then   φn (x) ωn (x, y) , nP = . ψn2 (x) ψn (x, y)3 The proof will be given in Section 9.5. COROLLARY 3.7 Let E be an elliptic curve. The endomorphism of E given by multiplication by n has degree n2 . PROOF From Lemma 3.5, we have that the maximum of the degrees of the numerator and denominator of φn (x)/ψn2 (x) is n2 . Therefore, the degree of the endomorphism is n2 if this rational function is reduced, that is, if φn (x) and ψn2 (x) have no common roots. We’ll show that this is the case. Suppose not. Let n be the smallest index for which they have a common root. Suppose n = 2m is even. A quick calculation shows that φ2 (x) = x4 − 2Ax2 − 8Bx + A2 . Computing the x-coordinate of 2m(x, y) in two steps by multiplying by m and then by 2, and using the fact that ψ22 = 4y 2 = 4(x3 + Ax + B), we obtain 2 ) φ2m φ2 (φm /ψm = 2 2 2 ψ2m ψ2 (φm /ψm )

=

4 6 8 − 8Bφm ψm + A2 ψm φ4m − 2Aφ2m ψm 2 3 4 6 (4ψm )(φm + Aφm ψm + Bψm )

=

U , V

where U and V are the numerator and denominator of the preceding expression. To show U and V have no common roots, we need the following.

84

CHAPTER 3

TORSION POINTS

LEMMA 3.8 Let ∆ = 4A3 + 27B 2 and let F (x, z) = x4 − 2Ax2 z 2 − 8Bxz 3 + A2 z 4 G(x, z) = 4z(x3 + Axz 2 + Bz 3 ) f1 (x, z) = 12x2 z + 16Az 3 g1 (x, z) = 3x3 − 5Axz 2 − 27Bz 3 f2 (x, z) = 4∆x3 − 4A2 Bx2 z + 4A(3A3 + 22B 2 )xz 2 + 12B(A3 + 8B 2 )z 3 g2 (x, z) = A2 Bx3 + A(5A3 + 32B 2 )x2 z + 2B(13A3 + 96B 2 )xz 2 − 3A2 (A3 + 8B 2 )z 3 . Then

F f1 − Gg1 = 4∆z 7 and F f2 + Gg2 = 4∆x7 .

PROOF This is verified by a straightforward calculation. Where do these identities come from? The polynomials F (x, 1) and G(x, 1) have no common roots, so the extended Euclidean algorithm, applied to polynomials, finds polynomials f1 (x), g1 (x) such that F (x, 1)f1 (x) + G(x, 1)g1 (x) = 1. Changing x to x/z, multiplying by z 7 (to make everything homogeneous), then multiplying by 4∆ to clear denominators yields the first identity. The second is obtained by reversing the roles of x and z. The lemma implies that 2 2 14 U · f1 (φm , ψm ) − V · g1 (φm , ψm ) = 4ψm ∆ 2 2 7 U · f2 (φm , ψm ) + V · g2 (φm , ψm ) = 4φm ∆. 2 If U, V have a common root, then so do φm and ψm . Since n = 2m is the first index for which there is a common root, this is impossible. 2 2 . Since U/V = φ2m /ψ2m It remains to show that U = φ2m and V = ψ2m and since U, V have no common root, it follows that φ2m is a multiple of U 2 is a multiple of V . A quick calculation using Lemma 3.5 shows that and ψ2m 2

U = x4m + lower degree terms. Lemma 3.5 and the fact that φ2m is a multiple of U imply that φ2m = U . 2 2 . It follows that φ2m and ψ2m have no common roots. Therefore, V = ψ2m Now suppose that the smallest index n such that there is a common root is odd: n = 2m + 1. Let r be a common root of φn and ψn2 . Since φn = xψn2 − ψn−1 ψn+1 , and since ψn+1 ψn−1 is a polynomial in x, we have (ψn+1 ψn−1 )(r) = 0. 2 are polynomials in x and their product vanishes at r. Therefore But ψn±1 2 ψn+δ (r) = 0, where δ is either 1 or −1.

SECTION 3.2 DIVISION POLYNOMIALS

85

Since n is odd, both ψn and ψn+2δ are polynomials in x. Moreover, 2 (ψn ψn+2δ )2 = ψn2 ψn+2δ

vanishes at r. Therefore ψn ψn+2δ vanishes at r. Since 2 − ψn ψn+2δ , φn+δ = xψn+δ 2 have a common root. we find that φn+δ (r) = 0. Therefore, φn+δ and ψn+δ Note that n + δ is even. 2 When considering the case that n is even, we showed that if φ2m and ψ2m 2 have a common root, then φm and ψm have a common root. In the present case, we apply this to 2m = n + δ. Since n is assumed to be the smallest index for which there is a common root, we have

n+δ ≥ n. 2 This implies that n = 1. But clearly φ1 = x and ψ12 = 1 have no common roots, so we have a contradiction. This proves that φn and ψn2 have no common roots in all cases. Therefore, as pointed out at the beginning of the proof, the multiplication by n map has degree n2 . This completes the proof of Corollary 3.7. Recall from Section 2.9 that if α(x, y) = (R(x), yS(x)) is an endomorphism of an elliptic curve E, then α is separable if R
(x) is not identically 0. Assume n is not a multiple of the characteristic p of the field. From Theorem 3.6 we see that the multiplication by n map has 2

R(x) =

xn + · · · . n2 xn2 −1 + · · · 2

The numerator of the derivative is n2 x2n −2 +· · · = 0, so R
(x) = 0. Therefore, multiplication by n is separable. From Corollary 3.7 and Proposition 2.21, E[n], the kernel of multiplication by n, has order n2 . The structure theorem for finite abelian groups (see Appendix B) says that E[n] is isomorphic to Zn1 ⊕ Zn2 ⊕ · · · ⊕ Znk , for some integers n1 , n2 , . . . , nk with ni |ni+1 for all i. Let be a prime dividing n1 . Then |ni for all i. This means that E[ ] ⊆ E[n] has order k . Since we have just proved that E[ ] has order 2 , we must have k = 2. Multiplication by n annihilates E[n] Zn1 ⊕ Zn2 , so we must have n2 |n. Since n2 = #E[n] = n1 n2 , it follows that n1 = n2 = n. Therefore, E[n] Zn ⊕ Zn when the characteristic p of the field does not divide n.

86

CHAPTER 3

TORSION POINTS

It remains to consider the case where p|n. We first determine the p-power torsion on E. By Proposition 2.28, multiplication by p is not separable. By Proposition 2.21, the kernel E[p] of multiplication by p has order strictly less than the degree of this endomorphism, which is p2 by Corollary 3.7. Since every element of E[p] has order 1 or p, the order of E[p] is a power of p, hence must be 1 or p. If E[p] is trivial, then E[pk ] must be trivial for all k. Now suppose E[p] has order p. We claim that E[pk ] Zpk for all k. It is easy to see that E[pk ] is cyclic. The hard part is to show that the order is pk , rather than something smaller (for example, why can’t we have E[pk ] = E[p] Zp for all k?). Suppose there exists an element P of order pj . By Theorem 2.22, multiplication by p is surjective, so there exists a point Q with pQ = P . Since pj Q = pj−1 P = ∞

pj+1 Q = pj P = ∞,

but

Q has order pj+1 . By induction, there are points of order pk for all k. Therefore, E[pk ] is cyclic of order pk . We can now put everything together. Write n = pr n
with r ≥ 0 and p
n
. Then E[n] E[n
] ⊕ E[pr ]. We have E[n
] Zn
⊕ Zn
, since p
n
. We have just showed that E[pr ] 0 or Zpr . Recall that Zn
⊕ Zpr Zn
pr Zn (see Appendix A). Therefore, we obtain E[n] Zn
⊕ Zn


or

Zn ⊕ Zn
.

This completes the proof of Theorem 3.2.

3.3 The Weil Pairing The Weil pairing on the n-torsion on an elliptic curve is a major tool in the study of elliptic curves. For example, it will be used in Chapter 4 to prove Hasse’s theorem on the number of points on an elliptic curve over a finite field. It will be used in Chapter 5 to attack the discrete logarithm problem for elliptic curves. In Chapter 6, it will be used in a cryptographic setting. Let E be an elliptic curve over a field K and let n be an integer not divisible by the characteristic of K. Then E[n] Zn ⊕ Zn . Let µn = {x ∈ K | xn = 1} be the group of nth roots of unity in K. Since the characteristic of K does not divide n, the equation xn = 1 has no multiple roots, hence has n roots in

SECTION 3.3 THE WEIL PAIRING

87

K. Therefore, µn is a cyclic group of order n. Any generator ζ of µn is called a primitive nth root of unity. This is equivalent to saying that ζ k = 1 if and only if n divides k. THEOREM 3.9 Let E be an elliptic curve defined over a field K and let n be a positive integer. Assume that the characteristic of K does not divide n. Then there is a pairing en : E[n] × E[n] → µn , called the Weil pairing, that satisfies the following properties: 1. en is bilinear in each variable. This means that en (S1 + S2 , T ) = en (S1 , T )en (S2 , T ) and en (S, T1 + T2 ) = en (S, T1 )en (S, T2 ) for all S, S1 , S2 , T, T1 , T2 ∈ E[n]. 2. en is nondegenerate in each variable. This means that if en (S, T ) = 1 for all T ∈ E[n] then S = ∞ and also that if en (S, T ) = 1 for all S ∈ E[n] then T = ∞. 3. en (T, T ) = 1 for all T ∈ E[n]. 4. en (T, S) = en (S, T )−1 for all S, T ∈ E[n]. 5. en (σS, σT ) = σ(en (S, T )) for all automorphisms σ of K such that σ is the identity map on the coefficients of E (if E is in Weierstrass form, this means that σ(A) = A and σ(B) = B). 6. en (α(S), α(T )) = en (S, T )deg(α) for all separable endomorphisms α of E. If the coefficients of E lie in a finite field Fq , then the statement also holds when α is the Frobenius endomorphism φq . (Actually, the statement holds for all endomorphisms α, separable or not. See [38].) The proof of the theorem will be given in Chapter 11. In the present section, we’ll derive some consequences. COROLLARY 3.10 Let {T1 , T2 } be a basis of E[n]. Then en (T1 , T2 ) is a primitive nth root of unity. PROOF Suppose en (T1 , T2 ) = ζ with ζ d = 1. Then en (T1 , dT2 ) = 1. Also, en (T2 , dT2 ) = en (T2 , T2 )d = 1 (by (1) and (3)). Let S ∈ E[n]. Then

88

CHAPTER 3

TORSION POINTS

S = aT1 + bT2 for some integers a, b. Therefore, en (S, dT2 ) = en (T1 , dT2 )a en (T2 , dT2 )b = 1. Since this holds for all S, (2) implies that dT2 = ∞. Since dT2 = ∞ if and only if n|d, it follows that ζ is a primitive nth root of unity. COROLLARY 3.11 If E[n] ⊆ E(K), then µn ⊂ K. REMARK 3.12 Recall that points in E[n] are allowed to have coordinates in K. The hypothesis of the corollary is that these points all have coordinates in K. PROOF Let σ be any automorphism of K such that σ is the identity on K. Let T1 , T2 be a basis of E[n]. Since T1 , T2 are assumed to have coordinates in K, we have σT1 = T1 and σT2 = T2 . By (5), ζ = en (T1 , T2 ) = en (σT1 , σT2 ) = σ(en (T1 , T2 )) = σ(ζ). The fundamental theorem of Galois theory says that if an element x ∈ K is fixed by all such automorphisms σ, then x ∈ K. Therefore, ζ ∈ K. Since ζ is a primitive nth root of unity by Corollary 3.10, it follows that µn ⊂ K. (Technical point: The fundamental theorem of Galois theory only implies that ζ lies in a purely inseparable extension of K. But an nth root of unity generates a separable extension of K when the characteristic does not divide n, so we conclude that ζ ∈ K.) COROLLARY 3.13 Let E be an elliptic curve defined over Q. Then E[n] ⊆ E(Q) for n ≥ 3. PROOF

If E[n] ⊆ E(Q), then µn ⊂ Q, which is not the case when n ≥ 3.

REMARK 3.14 When n = 2, it is possible to have E[2] ⊆ E(Q). For example, if E is given by y 2 = x(x − 1)(x + 1), then E[2] = {∞, (0, 0), (1, 0), (−1, 0)}. If n = 3, 4, 5, 6, 7, 8, 9, 10, 12, there are elliptic curves E defined over Q that have points of order n with rational coordinates. However, the corollary says that it is not possible for all points of order n to have rational coordinates for these n. The torsion subgroups of elliptic curves over Q will be discussed in Chapter 8.

SECTION 3.3 THE WEIL PAIRING

89

We now use the Weil pairing to deduce two propositions that will be used in the proof of Hasse’s theorem in Chapter Recall that if α is an endomorphism  4.  ab with entries in Zn , describing the of E, then we obtain a matrix αn = cd action of α on a basis {T1 , T2 } of E[n]. PROPOSITION 3.15 Let α be an endomorphism of an elliptic curve E defined over a field K. Let n be a positive integer not divisible by the characteristic of K. Then det(αn ) ≡ deg(α) (mod n). PROOF By Corollary 3.10, ζ = en (T1 , T2 ) is a primitive nth root of unity. By part (6) of Theorem 3.9, we have ζ deg(α) = en (α(T1 ), α(T2 )) = en (aT1 + cT2 , bT1 + dT2 ) = en (T1 , T1 )ab en (T1 , T2 )ad en (T2 , T1 )cb en (T2 , T2 )cd = ζ ad−bc , by the properties of the Weil pairing. Since ζ is a primitive nth root of unity, deg(α) ≡ ad − bc (mod n). As we’ll see in the proof of the next result, Proposition 3.15 allows us to reduce questions about the degree to calculations with matrices. Both Proposition 3.15 and Proposition 3.16 hold for all endomorphisms, since part (6) of Theorem 3.9 holds in general. However, we prove part (6) only for separable endomorphisms and for the Frobenius map, which is sufficient for our purposes. We’ll state Proposition 3.16 in general, and the proof is sufficient for separable endomorphisms and for all endomorphisms of the form r + sφq with arbitrary integers r, s. Let α and β be endomorphisms of E and let a, b be integers. The endomorphism aα + bβ is defined by (aα + bβ)(P ) = aα(P ) + bβ(P ). Here aα(P ) means multiplication on E of α(P ) by the integer a. The result is then added on E to bβ(P ). This process can all be described by rational functions, since this is true for each of the individual steps. Therefore aα + bβ is an endomorphism. PROPOSITION 3.16 deg(aα + bβ) = a2 deg α + b2 deg β + ab(deg(α + β) − deg α − deg β).

90

CHAPTER 3

TORSION POINTS

PROOF Let n be any integer not divisible by the characteristic of K. Represent α and β by matrices αn and βn (with respect to some basis of E[n]). Then aαn + bβn gives the action of aα + bβ on E[n]. A straightforward calculation yields det(aαn + bβn ) = a2 det αn + b2 det βn + ab(det(αn + βn ) − det αn − det βn ) for any matrices αn and βn (see Exercise 3.4). Therefore deg(aα + bβ) ≡ a2 deg α + b2 deg β + ab(deg(α + β) − deg α − deg β)

(mod n).

Since this holds for infinitely many n, it must be an equality.

3.4 The Tate-Lichtenbaum Pairing Starting from the Weil pairing, it is possible to define a pairing that can be used in cases where the full n-torsion is not available, so the Weil pairing does not apply directly. The approach used in this section was inspired by work of Schaefer [96]. THEOREM 3.17 Let E be an elliptic curve over Fq . Let n be an integer such that n|q − 1. Denote by E(Fq )[n] the elements of E(Fq ) of order dividing n, and let µn = {x ∈ Fq | xn = 1}. Let P ∈ E(Fq )[n] and Q ∈ E(Fq ) and choose R ∈ E(Fq ) satisfying nR = Q. Denote by en the nth Weil pairing and by φ = φq the qth power Frobenius endomorphism. Define τn (P, Q) = en (P, R − φ(R)). Then τn : E(Fq )[n] × E(Fq )/nE(Fq ) −→ µn is a well-defined nondegenerate bilinear pairing. The pairing of the theorem is called the modified Tate-Lichtenbaum pairing. The original Tate-Lichtenbaum pairing is obtained by taking the nth root of τn , thus obtaining a pairing × n ·, ·n : E(Fq )[n] × E(Fq )/nE(Fq ) −→ F× q /(Fq ) .

The pairing τn is better suited for computations since it gives a definite answer, rather than a coset in F× q mod nth powers. These pairings can be computed

SECTION 3.4 THE TATE-LICHTENBAUM PAIRING

91

quickly (using at most a constant times log q point additions on E). See Section 11.4. Technically, we should write τn (P, Q) as τn (P, Q+nE(Fq )), since an element of E(Fq )/nE(Fq ) has the form Q + nE(Fq ). However, we’ll simply write τn (P, Q) and similarly for P, Qn . The fact that τn is nondegenerate means that if τn (P, Q) = 1 for all Q then P = ∞, and if τn (P, Q) = 1 for all P then Q ∈ nE(Fq ). Bilinearity means that τn (P1 + P1 , Q) = τn (P1 , Q)τn (P2 , Q) and τn (P, Q1 + Q2 ) = τn (P, Q1 )τn (P, Q2 ). PROOF We now prove the theorem. First, we need to show that τn (P, Q) is defined and is independent of the choice of R. Since nR = Q ∈ E(Fq ), we have ∞ = Q − φ(Q) = n (R − φR) , so R − φR ∈ E[n] (to lower the number of parentheses, we often write φR instead of φ(R)). Since P ∈ E[n], too, the Weil pairing en (P, R − φR) is defined. Suppose that nR
= Q gives another choice of R. Let T = R
− R. Then nT = Q − Q = ∞, so T ∈ E[n]. Therefore, en (P, R
− φR
) = en (P, R − φR + T − φT ) = en (P, R − φR)en (P, T )/en (P, φT ). But P = φP , since P ∈ E(Fq ), so en (P, φT ) = en (φP, φT ) = φ (en (P, T )) = en (P, T ), since en (P, T ) ∈ µn ⊂ Fq . Therefore, en (P, R
− φR
) = en (P, R − φR), so τn does not depend on the choice of R. Since Q is actually a representative of a coset in E(Fq )/nE(Fq ), we need to show that the value of τn depends only on the coset, not on the particular choice of representative. Therefore, suppose Q
− Q = nU ∈ nE(Fq ). Let nR = Q and let R
= R + U . Then nR
= Q
. We have en (P, R
− φR
) = en (P, R − φR + U − φU ) = en (P, R − φR), since U = φU for U ∈ E(Fq ). Therefore, the value does not depend on the choice of coset representative. This completes the proof that τn is well defined. The fact that τn (P, Q) is bilinear in P follows immediately from the corresponding fact for en . For bilinearity in Q, suppose that nR1 = Q1 and

92

CHAPTER 3

TORSION POINTS

nR2 = Q2 . Then n(R1 + R2 ) = Q1 + Q2 , so τn (P, Q1 + Q2 ) = en (P, R1 + R2 − φR1 − φR2 ) = en (P, R1 − φR1 )en (P, R2 − φR2 ) = τn (P, Q1 )τn (P, Q2 ). It remains to prove the nondegeneracy. This we postpone to Section 11.7.

The Tate-Lichtenbaum pairing can be used in some situations where the Weil pairing does not apply. The Weil pairing needs E[n] ⊆ E(Fq ), which implies that µn ⊆ F× q , by Corollary 3.11. The Tate-Lichtenbaum pairing requires that µn ⊆ F× q , but only needs a point of order n, rather than all of E[n], to be in E(Fq ). In fact, it doesn’t even need a point of order n. If E(Fq )[n] is trivial, for example, then we have a pairing between two trivial groups.

Exercises 3.1 Let E be the elliptic curve y 2 = x3 + 1 mod 5. (a) Compute the division polynomial ψ3 (x). (b) Show that gcd(x5 − x, ψ3 (x)) = x. (c) Use the result of part (b) to show that the 3-torsion points in E(F5 ) are {∞, (0, 1), (0, −1)}. 3.2 Let E be an elliptic curve in characteristic 2. Show that E[3] Z3 ⊕ Z3 . (Hint: Use the formulas at the end of Section 2.8.) 3.3 Let E be an elliptic curve over a field of characteristic not 2. Let E[2] = {∞, P1 , P2 , P3 }. Show that e2 (Pi , Pj ) = −1 whenever i = j.   wx ˜ = 3.4 Let M and N be 2 × 2 matrices with N = . Define N y z   z −x (this is the adjoint matrix). −y w ˜ ) = det(M + N ) − det(M ) − det(N ). (a) Show that Trace(M N (b) Use (a) to show that det(aM + bN ) − a2 det M − b2 det N = ab(det(M + N ) − det M − det N )

EXERCISES

93

for all scalars a, b. This is the relation used in the proof of Proposition 3.16. 3.5 Show that part (6) of Theorem 3.9 holds when α is the endomorphism given by multiplication by an integer m. 3.6 Let E be an elliptic curve over a field K and let P be a point of order n (where n is not divisible by the characteristic of the field K). Let Q ∈ E[n]. Show that there exists an integer k such that Q = kP if and only if en (P, Q) = 1. 3.7 Write the equation of the elliptic curve E as F (x, y, z) = y 2 z − x3 − Axz 2 − Bz 3 = 0. Show that a point P on E is in E[3] if and only if ⎛ ⎞ Fxx Fxy Fxz det ⎝ Fyx Fyy Fyz ⎠ = 0 Fzx Fzy Fzz at the point P , where Fab denotes the 2nd partial derivative with respect to a, b. The determinant is called the Hessian. For a curve in P2 defined by an equation F = 0, a point where the Hessian is zero is called a flex of the curve. 3.8 The division polynomials ψn were defined for n ≥ 0. Show that if we let ψ−n = −ψn , then the recurrence relations preceding Lemma 3.3, which are stated only for m ≥ 2, hold for all integers m. (Note that this requires verifying the relations for m ≤ −2 and for m = −1, 0, 1.)

Chapter 4 Elliptic Curves over Finite Fields Let F be a finite field and let E be an elliptic curve defined over F. Since there are only finitely many pairs (x, y) with x, y ∈ F, the group E(F) is finite. Various properties of this group, for example, its order, turn out to be important in many contexts. In this chapter, we present the basic theory of elliptic curves over finite fields. Not only are the results interesting in their own right, but also they are the starting points for the cryptographic applications discussed in Chapter 6.

4.1 Examples First, let’s consider some examples. Example 4.1 Let E be the curve y 2 = x3 + x + 1 over F5 . To count points on E, we make a list of the possible values of x, then of x3 + x + 1 (mod 5), then of the square roots y of x3 + x + 1 (mod 5). This yields the points on E. x 0 1 2 3 4 ∞

x3 + x + 1 1 3 1 1 4

y ±1 – ±1 ±1 ±2 ∞

Points (0, 1), (0, 4) – (2, 1), (2, 4) (3, 1), (3, 4) (4, 2), (4, 3) ∞

Therefore, E(F5 ) has order 9. 95

96

CHAPTER 4

ELLIPTIC CURVES OVER FINITE FIELDS

Let’s compute (3, 1) + (2, 4) on E. The slope of the line through the two points is 4−1 ≡ 2 (mod 5). 2−3 The line is therefore y = 2(x−3)+1 ≡ 2x. Substituting this into y 2 = x3 +x+1 and rearranging yields 0 = x3 − 4x2 + x + 1. The sum of the roots is 4, and we know the roots 3 and 2. Therefore the remaining root is x = 4. Since y = 2x, we have y ≡ 3. Reflecting across the x-axis yields the sum: (3, 1) + (2, 4) = (4, 2). (Of course, we could have used the formulas of Section 2.2 directly.) A little calculation shows that E(F5 ) is cyclic, generated by (0, 1) (Exercise 4.1). Example 4.2 Let E be the elliptic curve y 2 = x3 + 2 over F7 . Then E(F7 ) = {∞, (0, 3), (0, 4), (3, 1), (3, 6), (5, 1), (5, 6), (6, 1), (6, 6)}. An easy calculation shows that all of these points P satisfy 3P = ∞, so the group is isomorphic to Z3 ⊕ Z3 . Example 4.3 Let’s consider the elliptic curve E given by y 2 + xy = x3 + 1 defined over F2 . We can find the points as before and obtain E(F2 ) = {∞, (0, 1), (1, 0), (1, 1)}. This is a cyclic group of order 4. The points (1, 0), (1, 1) have order 4 and the point (0, 1) has order 2. Now let’s look at E(F4 ). Recall that F4 is the finite field with 4 elements. We can write it as F4 = {0, 1, ω, ω 2 }, with the relation ω 2 + ω + 1 = 0 (which implies, after multiplying by ω + 1, that ω 3 = 1). Let’s list the elements of E(F4 ). x = 0 ⇒ y2 = 1 ⇒ y = 1 x = 1 ⇒ y 2 + y = 0 ⇒ y = 0, 1 x = ω ⇒ y 2 + ωy = 0 ⇒ y = 0, ω x = ω 2 ⇒ y 2 + ω 2 y = 0 ⇒ y = 0, ω 2 x = ∞ ⇒ y = ∞. Therefore
 E(F4 ) = ∞, (0, 1), (1, 0), (1, 1), (ω, 0), (ω, ω), (ω 2 , 0), (ω 2 , ω 2 ) .

SECTION 4.1 EXAMPLES

97

Since we are in characteristic 2, there is at most one point of order 2 (see Proposition 3.1). In fact, (0, 1) has order 2. Therefore, E(F4 ) is cyclic of order 8. Any one of the four points containing ω or ω 2 is a generator. This may be verified by direct calculation, or by observing that they do not lie in the order 4 subgroup E(F2 ). Let φ2 (x, y) = (x2 , y 2 ) be the Frobenius map. It is easy to see that φ2 permutes the elements of E(F4 ), and E(F2 ) = {(x, y) ∈ E(F4 ) | φ2 (x, y) = (x, y) } . In general, for any elliptic curve E defined over Fq and any extension F of Fq , the Frobenius map φq permutes the elements of E(F) and is the identity on the subgroup E(Fq ). See Lemma 4.5. Two main restrictions on the groups E(Fq ) are given in the next two theorems. THEOREM 4.1 Let E be an elliptic curve over the finite field Fq . Then E(Fq )  Zn

or

Zn1 ⊕ Zn2

for some integer n ≥ 1, or for some integers n1 , n2 ≥ 1 with n1 dividing n2 . PROOF A basic result in group theory (see Appendix B) says that a finite abelian group is isomorphic to a direct sum of cyclic groups Zn1 ⊕ Zn2 ⊕ · · · ⊕ Znr , with ni |ni+1 for i ≥ 1. Since, for each i, the group Zni has n1 elements of order dividing n1 , we find that E(Fq ) has nr1 elements of order dividing n1 . By Theorem 3.2, there are at most n21 such points (even if we allow coordinates in the algebraic closure of Fq ). Therefore r ≤ 2. This is the desired result (the group is trivial if r = 0; this case is covered by n = 1 in the theorem).

THEOREM 4.2 (Hasse) Let E be an elliptic curve over the finite field Fq . Then the order of E(Fq ) satisfies √ |q + 1 − #E(Fq )| ≤ 2 q. The proof will be given in Section 4.2. A natural question is what groups can actually occur as groups E(Fq ). The answer is given in the following two results, which are proved in [130] and [93], respectively.

98

CHAPTER 4

ELLIPTIC CURVES OVER FINITE FIELDS

THEOREM 4.3 Let q = pn be a power of a prime p and let N = q + 1 − a. There is an elliptic √ curve E defined over Fq such that #E(Fq ) = N if and only if |a| ≤ 2 q and a satisfies one of the following: 1. gcd(a, p) = 1 √ 2. n is even and a = ±2 q √ 3. n is even, p ≡ 1 (mod 3), and a = ± q 4. n is odd, p = 2 or 3, and a = ±p(n+1)/2 5. n is even, p ≡ 1 (mod 4), and a = 0 6. n is odd and a = 0. THEOREM 4.4 Let N be an integer that occurs as the order of an elliptic curve over a finite field Fq , as in Theorem 4.3. Write N = pe n1 n2 with p
n1 n2 and n1 |n2 (possibly n1 = 1). There is an elliptic curve E over Fq such that E(Fq )  Zpe ⊕ Zn1 ⊕ Zn2 if and only if 1. n1 |q − 1 in cases (1), (3), (4), (5), (6) of Theorem 4.3 2. n1 = n2 in case (2) of Theorem 4.3. These are the only groups that occur as groups E(Fq ).

4.2 The Frobenius Endomorphism Let Fq be a finite field with algebraic closure Fq and let φq : Fq −→ Fq , x → xq be the Frobenius map for Fq (see Appendix C for a review of finite fields). Let E be an elliptic curve defined over Fq . Then φq acts on the coordinates of points in E(Fq ): φq (x, y) = (xq , y q ),

φq (∞) = ∞.

SECTION 4.2 THE FROBENIUS ENDOMORPHISM

99

LEMMA 4.5 Let E be defined over Fq , and let (x, y) ∈ E(Fq ). 1. φq (x, y) ∈ E(Fq ) 2. (x, y) ∈ E(Fq ) if and only if φq (x, y) = (x, y). PROOF One fact we need is that (a + b)q = aq + bq when q is a power of the characteristic of the field. We also need that aq = a for all a ∈ Fq . See Appendix C. Since the proof is the same for the Weierstrass and the generalized Weierstrass equations, we work with the general form. We have y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 , with ai ∈ Fq . Raise the equation to the qth power to obtain (y q )2 + a1 (xq y q ) + a3 (y q ) = (xq )3 + a2 (xq )2 + a4 (xq ) + a6 . This means that (xq , y q ) lies on E, which proves (1). For (2), again recall that x ∈ Fq if and only if φq (x) = x (see Appendix C), and similarly for y. Therefore (x, y) ∈ E(Fq ) ⇔ x, y ∈ Fq ⇔ φq (x) = x and φq (y) = y ⇔ φq (x, y) = (x, y).

LEMMA 4.6 Let E be an elliptic curve defined over Fq . Then φq is an endomorphism of E of degree q, and φq is not separable. This is the same as Lemma 2.20. Note that the kernel of the endomorphism φq is trivial. This is related to the fact that φq is not separable. See Proposition 2.21. The following result is the key to counting points on elliptic curves over finite fields. Since φq is an endomorphism of E, so are φ2q = φq ◦ φq and also φnq = φq ◦ φq ◦ · · · ◦ φq for every n ≥ 1. Since multiplication by −1 is also an endomorphism, the sum φnq − 1 is an endomorphism of E. PROPOSITION 4.7 Let E be defined over Fq and let n ≥ 1. 1. Ker(φnq − 1) = E(Fqn ).

100

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

2. φnq − 1 is a separable endomorphism, so #E(Fqn ) = deg(φnq − 1). PROOF Since φnq is the Frobenius map for the field Fqn , part (1) is just a restatement of Lemma 4.5. The fact that φnq − 1 is separable was proved in Proposition 2.29. Therefore (2) follows from Proposition 2.21. Proof of Hasse’s theorem: We can now prove Hasse’s theorem (Theorem 4.2). Let a = q + 1 − #E(Fq ) = q + 1 − deg(φq − 1).

(4.1)

√ We want to show that |a| ≤ 2 q. We need the following. LEMMA 4.8 Let r, s be integers with gcd(s, q) = 1. Then deg(rφq − s) = r2 q + s2 − rsa. PROOF

Proposition 3.16 implies that

deg(rφq − s) = r2 deg(φq ) + s2 deg(−1) + rs(deg(φq − 1) − deg(φq ) − deg(−1)). Since deg(φq ) = q and deg(−1) = 1, the result follows from (4.1). REMARK 4.9 The assumption that gcd(s, q) = 1 is not needed. We include it since we have proved Proposition 3.16 not in general, but only when the endomorphisms are separable or φq . We can now finish the proof of Hasse’s theorem. Since deg(rφq − s) ≥ 0, the lemma implies that r  r 2 +1≥0 −a q s s for all r, s with gcd(s, q) = 1. The set of rational numbers r/s such that gcd(s, q) = 1 is dense in R. (Proof: Take s to be a power of 2 or a power of 3, one of which must be relatively prime with q. The rationals of the form r/2m and those of the form r/3m are easily seen to be dense in R.) Therefore, qx2 − ax + 1 ≥ 0 for all real numbers x. Therefore the discriminant of the polynomial is negative √ or 0, which means that a2 − 4q ≤ 0, hence |a| ≤ 2 q. This completes the proof of Hasse’s theorem. There are several major ingredients of the above proof. One is that we can identify E(Fq ) as the kernel of φq − 1. Another is that φq − 1 is separable,

SECTION 4.2 THE FROBENIUS ENDOMORPHISM

101

so the order of the kernel is the degree of φq − 1. A third major ingredient is the Weil pairing, especially part (6) of Theorem 3.9, and its consequence, Proposition 3.16. Proposition 4.7 has another very useful consequence. THEOREM 4.10 Let E be an elliptic curve defined over Fq . Let a be as in Equation 4.1. Then φ2q − aφq + q = 0 as endomorphisms of E, and a is the unique integer k such that φ2q − kφq + q = 0. In other words, if (x, y) ∈ E(Fq ), then 

2

xq , y q

2



− a (xq , y q ) + q(x, y) = ∞,

and a is the unique integer such that this relation holds for all (x, y) ∈ E(Fq ). Moreover, a is the unique integer satisfying a ≡ Trace((φq )m ) mod m for all m with gcd(m, q) = 1. PROOF If φ2q − aφq + q is not the zero endomorphism, then its kernel is finite (Proposition 2.21). We’ll show that the kernel is infinite, hence the endomorphism is 0. Let m ≥ 1 be an integer with gcd(m, q) = 1. Recall that φq induces a matrix (φq )m that describes the action of φq on E[m]. Let  (φq )m =

s t uv

 .

Since φq −1 is separable by Proposition 2.29, Propositions 2.21 and 3.15 imply that #Ker(φq − 1) = deg(φq − 1) ≡ det((φq )m − I) = sv − tu − (s + v) + 1 (mod m). By Proposition 3.15, sv−tu = det((φq )m ) ≡ q (mod m). By (4.1), #Ker(φq − 1) = q + 1 − a. Therefore, Trace((φq )m ) = s + v ≡ a (mod m).

102

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

By the Cayley-Hamilton theorem of linear algebra, or by a straightforward calculation (substituting the matrix into the polynomial), we have (φq )2m − a(φq )m + qI ≡ 0

(mod m),

where I is the 2×2 identity matrix. (Note that X 2 −aX +q is the characteristic polynomial of (φq )m .) This means that the endomorphism φ2q − aφq + q is identically zero on E[m]. Since there are infinitely many choices for m, the kernel of φ2q − aφq + q is infinite, so the endomorphism is 0. Suppose a1 = a satisfies φ2q − a1 φq + q = 0. Then (a − a1 )φq = (φ2q − a1 φq + q) − (φ2q − aφq + q) = 0. By Theorem 2.22, φq : E(Fq ) → E(Fq ) is surjective. Therefore, (a − a1 ) annihilates E(Fq ). In particular, (a − a1 ) annihilates E[m] for every m ≥ 1. Since there are points in E[m] of order m when gcd(m, q) = 1, we find that a − a1 ≡ 0 (mod m) for such m. Therefore a − a1 = 0, so a is unique. We single out the following result, which was proved during the proof of Theorem 4.10. PROPOSITION 4.11 Let E be an elliptic curve over Fq and let (φq )m denote the matrix giving the action of the Frobenius φq on E[m]. Let a = q + 1 − #E(Fq ). Then Trace((φq )m ) ≡ a (mod m),

det((φq )m ) ≡ q

(mod m).

The polynomial X 2 −aX +q is often called the characteristic polynomial of Frobenius.

4.3 Determining the Group Order Hasse’s theorem gives bounds for the group of points on an elliptic curve over a finite field. In this section and in Section 4.5, we’ll discuss some methods for actually determining the order of the group.

4.3.1 Subfield Curves Sometimes we have an elliptic curve E defined over a small finite field Fq and we want to know the order of E(Fqn ) for some n. We can determine the

SECTION 4.3

DETERMINING THE GROUP ORDER

103

order of E(Fqn ) when n = 1 by listing the points or by some other elementary procedure. The amazing fact is that this allows us to determine the order for all n. THEOREM 4.12 Let #E(Fq ) = q + 1 − a. Write X 2 − aX + q = (X − α)(X − β). Then #E(Fqn ) = q n + 1 − (αn + β n ) for all n ≥ 1. PROOF First, we need the fact that αn + β n is an integer. This could be proved by remarking that it is an algebraic integer and is also a rational number. However, it can also be proved by more elementary means. LEMMA 4.13 Let sn = αn + β n . Then s0 = 2, s1 = a, and sn+1 = asn − qsn−1 for all n ≥ 1. PROOF Multiply the relation α2 − aα + q = 0 by αn−1 to obtain αn+1 = aαn − qαn−1 . There is a similar relation for β. Add the two relations to obtain the lemma. It follows immediately from the lemma that αn + β n is an integer for all n ≥ 0. Let f (X) = (X n − αn )(X n − β n ) = X 2n − (αn + β n )X n + q n . Then X 2 − aX + q = (X − α)(X − β) divides f (X). It follows immediately from the standard algorithm for dividing polynomials that the quotient is a polynomial Q(X) with integer coefficients (the main points are that the leading coefficient of X 2 − aX + q is 1 and that this polynomial and f (X) have integer coefficients). Therefore (φnq )2 − (αn + β n )φnq + q n = f (φq ) = Q(φq )(φ2q − aφq + q) = 0, as endomorphisms of E, by Theorem 4.10. Note that φnq = φqn . By Theorem 4.10, there is only one integer k such that φ2qn − kφqn + q n = 0, and such a k is determined by k = q n + 1 − #E(Fqn ). Therefore, αn + β n = q n + 1 − #E(Fqn ). This completes the proof of Theorem 4.12.

104

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

Example 4.4 In Example 4.3, we showed that the elliptic curve E given by y 2 +xy = x3 +1 over F2 satisfies #E(F2 ) = 4. Therefore, a = 2 + 1 − 4 = −1, and we obtain the polynomial √  √   −1 + −7 −1 − −7 X2 + X + 2 = X − X− . 2 2 Theorem 4.12 says that  #E(F4 ) = 4 + 1 −

√ 2  √ 2 −1 + −7 −1 − −7 − . 2 2

Rather than computing the last expression directly, we can use the recurrence in Lemma 4.13: s2 = as1 − 2s0 = −(−1) − 2(2) = −3. It follows that #E(F4 ) = 4 + 1 − (−3) = 8, which is what we calculated by listing points. Similarly, using the recurrence or using sufficiently high precision floating point arithmetic yields √ 101 √ 101   −1 − −7 −1 + −7 + = 2969292210605269. 2 2 Therefore, #E(F2101 ) = 2101 + 1 − 2969292210605269 = 2535301200456455833701195805484.

The advantage of Theorem 4.12 is that it allows us to determine the group order for certain curves very quickly. The disadvantage is that it requires the curve to be defined over a small finite field.

4.3.2 Legendre Symbols To make a list of points on y 2 = x3 + Ax + B over a finite field, we tried each possible value of x, then found the square roots y of x3 + Ax + B, if they existed. This procedure is the basis for a simple point counting algorithm.   x Recall the Legendre symbol p for an odd prime p, which is defined as follows: ⎧   ⎨ +1 if t2 ≡ x (mod p) has a solution t ≡ 0 (mod p), x = −1 if t2 ≡ x (mod p) has no solution t ⎩ p 0 if x ≡ 0 (mod p).

SECTION 4.3

DETERMINING THE GROUP ORDER

105

This can be generalized to any finite field Fq with q odd by defining, for x ∈ Fq , ⎧   ⎨ +1 if t2 = x has a solution t ∈ F× q , x = −1 if t2 = x has no solution t ∈ Fq , ⎩ Fq 0 if x = 0. THEOREM 4.14 Let E be an elliptic curve defined by y 2 = x3 + Ax + B over Fq . Then

 x3 + Ax + B  #E(Fq ) = q + 1 + . Fq x∈Fq

PROOF For a given x0 , there are two points (x, y) with x-coordinate x0 if x30 + Ax0 + B is a nonzero square in Fq , one such point if it is zero, and no points if it is not  3a square.Therefore, the number of points with x-coordinate x +Ax +B . Summing over all x0 ∈ Fq , and including 1 for x0 equals 1 + 0 Fq0 the point ∞, yields #E(Fq ) = 1 +



 1+

x∈Fq

x3 + Ax + B Fq

 .

Collecting the term 1 from each of the q summands yields the desired formula.

COROLLARY 4.15 Let x3 + Ax + B be a polynomial with A, B ∈ Fq , where q is odd. Then       x3 + Ax + B   ≤ 2√q.    F q  x∈Fq PROOF When x3 + Ax + B has no repeated roots, y 2 = x3 + Ax + B gives an elliptic curve, so Theorem 4.14 says that

 x3 + Ax + B  q + 1 − #E(Fq ) = − . Fq x∈Fq

The result now follows from Hasse’s theorem. The case where x3 + Ax + B has repeated roots follows from Exercise 4.3.

106

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

Example 4.5 Let E be the curve y 2 = x3 + x + 1 over F5 , as in Example 4.1. The nonzero squares mod 5 are 1 and 4. Therefore #E(F5 ) = 5 + 1 +

 4  3

x +x+1 x=0

= 6+

5

          1 3 1 1 4 + + + + 5 5 5 5 5

= 6 + 1 − 1 + 1 + 1 + 1 = 9.

When using Theorem 4.14, it is possible to compute each individual generalized Legendre symbol quickly (see Exercise 4.4), but it is more efficient to square all the elements of F× q and store the list of squares. For simplicity, consider the case of Fp . Make a vector with p entries, one for each element of Fp . Initially, all entries in the vector are set equal to −1. For each j with 1 ≤ j ≤ (p − 1)/2, square j and reduce to get k mod p. Change the kth entry in the vector to +1. Finally, change the 0th entry in the vector to 0. The resulting vector will be a list of the values of the Legendre symbol. Theorem 4.14, which is sometimes known as the Lang-Trotter method, works quickly for small values of q, perhaps q < 100, but is slow for larger q, and is impossible to use when q is around 10100 or larger.

4.3.3 Orders of Points Let P ∈ E(Fq ). The order of P is the smallest positive integer k such that kP = ∞. A fundamental result from group theory (a corollary of Lagrange’s theorem) is that the order of a point always divides the order of the group E(Fq ). Also, for an integer n, we have nP = ∞ if and only if the order of √ P divides n. By Hasse’s theorem, #E(Fq ) lies in an interval of length 4 q. √ Therefore, if we can find a point of order greater than 4 q, there can be only one multiple of this order in the correct interval, and it must be #E(Fq ). √ Even if the order of the point is smaller than 4 q, we obtain a small list of possibilities for #E(Fq ). Using a few more points often shortens the list enough that there is a unique possibility for #E(Fq ). For an addiitonal trick that helps in this situation, see Proposition 4.18. How do we find the order of a point? If we know the order of the full group of points, then we can look at factors of this order. But, at present, the order of the group is what we’re trying to find. In Section 4.3.4, we’ll discuss a method (Baby Step, Giant Step) for finding the order of a point.

SECTION 4.3

DETERMINING THE GROUP ORDER

107

Example 4.6 Let E be the curve y 2 = x3 + 7x + 1 over F101 . It is possible to show that the point (0, 1) has order 116, so N101 = #E(F101 ) is a multiple of 116. Hasse’s theorem says that √ √ 101 + 1 − 2 101 ≤ N101 ≤ 101 + 1 + 2 101, which means that 82 ≤ N101 ≤ 122. The only multiple of 116 in this range is 116, so N101 = 116. As a corollary, we find that the group of points is cyclic of order 116, generated by (0,1). Example 4.7 Let E be the elliptic curve y 2 = x3 − 10x + 21 over F557 . The point (2, 3) can be shown to have order 189. Hasse’s theorem implies that 511 ≤ N557 ≤ 605. The only multiple of 189 in this range is 3 · 189 = 567. Therefore N557 = 567.

Example 4.8 Let E be the elliptic curve y 2 = x3 + 7x + 12 over F103 . The point (−1, 2) has order 13 and the point (19, 0) has order 2. Therefore the order N103 of E(F103 ) is a multiple of 26. Hasse’s theorem implies that 84 ≤ N103 ≤ 124. The only multiple of 26 in that range is 104, so N103 = 104. Example 4.9 Let E be the elliptic curve y 2 = x3 + 2 over F7 , as in Example 4.2. The group of points E(F7 ) is isomorphic to Z3 ⊕ Z3 . Every point, except ∞, has order 3, so the best we can conclude with the present method is that the order N7 of the group is a multiple of 3. Hasse’s theorem says that 3 ≤ N7 ≤ 13, so the order is 3, 6, 9, or 12. Of course, if we find two independent points of order 3 (that is, one is not a multiple of the other), then they generate a subgroup of order 9. This means that the order of the full group is a multiple of 9, hence is 9. The situation of the last example, where E(Fq )  Zn ⊕ Zn , makes it more difficult to find the order of the group of points, but is fairly rare, as the next result shows. PROPOSITION 4.16 Let E be an elliptic curve over Fq and suppose E(Fq )  Zn ⊕ Zn for some integer n. Then either q = n2 + 1 or q = n2 ± n + 1 or q = (n ± 1)2 .

108

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

√ PROOF By Hasse’s theorem, n2 = q + 1 − a, with |a| ≤ 2 q. To prove the proposition, we use the following lemma, which puts a severe restriction on a. LEMMA 4.17 a ≡ 2 (mod n). PROOF Let p be the characteristic of Fq . Then p
n; otherwise, there would be p2 points in E[p], which is impossible in characteristic p by Theorem 3.2. Since E[n] ⊆ E(Fq ), Corollary 3.11 implies that the nth roots of unity are in Fq , so q − 1 must be a multiple of n (see Appendix C). Therefore, a = q + 1 − n2 ≡ 2 (mod n). Write a = 2 + kn for some integer k. Then n2 = q + 1 − a = q − 1 − kn, By Hasse’s theorem,

so

q = n2 + kn + 1.

√ |2 + kn| ≤ 2 q.

Squaring this last inequality yields 4 + 4kn + k 2 n2 ≤ 4q = 4(n2 + kn + 1). Therefore, |k| ≤ 2. The possibilities k = 0, ±1, ±2 give the values of q listed in the proposition. This completes the proof of Proposition 4.16. Most values of q are not of the form given in the proposition, and even for such q most elliptic curves do not have E(Fq )  Zn ⊕ Zn (only a small fraction have order n2 ), so we can regard Zn ⊕ Zn as rare. More generally, most q are such that all elliptic curves over Fq have points √ of order greater than 4 q (Exercise 4.6). Therefore, with a little luck, we can usually find points with orders that allow us to determine #E(Fq ). The following result of Mestre shows that for E defined over Fp , there is a point of sufficiently high order on either E or its quadratic twist. The quadratic twist of E is defined as follows. Let d ∈ F× p be a quadratic nonresidue mod p. If E has equation y 2 = x3 + Ax + B, then the quadratic twist E  has the equation y 2 = x3 + Ad2 x + Bd3 (see Exercise 2.23). By Exercise 4.10, if #E(Fp ) = p + 1 − a then E  has p + 1 + a points. Once we know the order of one of these two groups, we know a and therefore know the order of both groups.

SECTION 4.3

DETERMINING THE GROUP ORDER

109

PROPOSITION 4.18 Let p > 229 be prime and let E be an elliptic curve over Fp . Either E or its quadratic twist E  has a point P whose order has only one multiple in the √ √ interval p + 1 − 2 p, p + 1 + 2 p . PROOF

Let E(Fp )  Zm ⊕ ZM ,

E  (Fp )  Zn ⊕ ZN ,

with m|M and n|N . If mM = #E(Fp ) = p + 1 − a, then nN = #E  (Fp ) = p + 1 + a. Since m|M and n|N , we have m2 |p + 1 − a and n2 |p + 1 + a. Therefore, gcd(m2 , n2 )|2a. Since E[m] ⊆ E(Fp ), then µm ⊆ F× p by Corollary 3.11, so p ≡ 1 (mod m). Therefore, 2 − a ≡ p + 1 − a ≡ 0 (mod m). Similarly, 2 + a ≡ 0 (mod n). Therefore, gcd(m, n)|(2 − a) + (2 + a) = 4, and gcd(m2 , n2 )|16. If 4|m and 4|n, then 16| gcd(m2 , n2 ), which divides 2a. Then 8|a, which is impossible since then 2−a ≡ 0 (mod m) implies 2−0 ≡ 0 (mod 4). Therefore, gcd(m2 , n2 )|4. This implies that the least common multiple of m2 and n2 is a multiple of m2 n2 /4. Let φ be the pth power Frobenius endomorphism for E. Since E[n] ⊆ E(Fp ), it follows that φ acts trivially on E[n]. Choose a basis for E[n2 ]. The action of φ on E[n2 ] is given by a matrix of the form   1 + sn tn . un 1 + vn By Proposition 4.11, we have a ≡ 2 + (s + v)n (mod n2 ) and p ≡ 1 + (s + v)n (mod n2 ). Therefore, 4p−a2 ≡ 0 (mod n2 ). Similarly, 4p−a2 ≡ 0 (mod m2 ). It follows that the least common multiple of m2 and n2 divides 4p − a2 , so m2 n2 ≤ 4p − a2 . 4 √ Suppose that both M and N are less than 4 p. Then, since a2 < 4p, (p − 1)2 < (p + 1)2 − a2 = (p + 1 − a)(p + 1 + a) = mM nN

1/2 √ 2 < 4(4p − a2 ) (4 p) ≤ 64p3/2 . A straightforward calculation shows that this implies that p < 4100. We have therefore shown that if p > 4100, then either M or N must be greater than √ √ 4 p. This means that either E or E  has a point of order greater than 4 p. Therefore, there can be at most one multiple of this order in the interval √ √ p + 1 − 2 p, p + 1 + 2 p . This proves the theorem for p > 4100. Suppose now that 457 < p < 4100. A straightforward computation shows √ that there are no integers a, m, n with |a| < 2 p such that

110

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

1. m2 |p + 1 − a 2. n2 |p + 1 + a √ 3. (p + 1 − a)/m < 4 p √ 4. (p + 1 + a)/n < 4 p. Therefore, the theorem is true for p > 457. For p = 457, we may take a = 10, m = 8, n = 6, which correspond to the groups Z8 ⊕ Z56 and Z6 ⊕ Z78 (and can be realized by the curves  2 3 E : y 2 = x3 −125 and its quadratic twist √ that

E : y = x√−1). Note, however, the only multiple of 56 in the interval 457 + 1 − 2 457, 457 + 1 + 2 457 = (415.2, 500.8) is 448, which is the order of E(F457 ). Similarly, the only multiple of 78 in this interval is 468, which is the order of E  (F457 ). Therefore, the theorem still holds in this case. In fact, the search for a, m, n can be extended in this way to 229 < p ≤ 457, with conditions (3) and (4) replaced by 3’. there is more than one multiple of (p + 1 − a)/m in the interval √ √ p + 1 − 2 p, p + 1 + 2 p 4’. there is more than one multiple of (p + 1 + a)/m in the interval √ √ p + 1 − 2 p, p + 1 + 2 p . No values of a, m, n exist satisfying these conditions, so the theorem holds.

Example 4.10 The theorem is false for p = 229. Consider the curve E : y 2 = x3 − 1. A calculation shows that E(F229 )  Z6 ⊕ Z42 . Therefore, 42P = ∞ for all P ∈ E(F229 ). The Hasse bound says that 200 ≤ #E(F229 ) ≤ 260, so the existence of a point of order 42 allows both the values 210 and 252. Since 2 is a quadratic nonresidue mod 229, the curve E  : y 2 = x3 −8 is the quadratic twist of E. A calculation shows that E  (F229 )  Z4 ⊕ Z52 . Therefore, 52P = ∞ for all P ∈ E  (F229 ). The existence of a point of order 52 allows both the values 208 and 260. Therefore, neither E nor its quadratic twist E  has a point whose order has only one multiple in the Hasse interval. Suppose E(Fq )  Zn1 ⊕ Zn2 with n1 |n2 . Then the order of every element divides n2 . If we choose some random points and compute their orders, what is the chance that the least common multiple of these orders is n2 ? Let P1 , P2 be points of orders n1 , n2 such that every P ∈ E(Fq ) is uniquely expressible in the form P = a1 P1 + a2 P2 with 0 ≤ ai < ni . Let p be a prime dividing n2 . If we take a random point P , then the probability is 1 − 1/p that p
a2 . If p
a2 , then the order of P contains the highest power of p possible. If p is large, then this means that it is very likely that the order of one randomly chosen

SECTION 4.3

DETERMINING THE GROUP ORDER

111

point will contribute the correct power of p to the least common multiple of the orders of the points. If p is small, say p = 2, then the probability is at least 1/2. This means that if we choose several randomly chosen points, the least common multiples of their orders should still have the correct power of p. The conclusion is that if we choose several random points and compute the least common multiple of their orders, it is very likely that we will obtain n2 , which is as large as possible. The following result of Cremona and Harley shows that knowledge of n2 usually determines the group structure. PROPOSITION 4.19 Let E be an elliptic curve over Fq . Write E(Fq )  Zn1 ⊕ Zn2 with n1 |n2 . Suppose that q is not one of the following: 3, 4, 5, 7, 9, 11, 13, 17, 19, 23, 25, 27, 29, 31, 37, 43, 61, 73, 181, 331, 547. Then n2 uniquely determines n1 . PROOF Fix q and suppose there exist n2 , x, y (regard x, y as two possible values of n1 ) with 1. x, y|n2 √

2 √

2 2. q − 1 ≤ n2 x < n2 y ≤ q+1 (so the groups of order n2 x and n2 y satisfy the bounds in Hasse’s theorem). Our first goal is to show that if n2 , x, y satisfying (1) and (2) exist then q ≤ 4612. Let d = gcd(x, y). Then n2 = dn2 , x = x/d, y  = y/d also satisfy (1), (2). So we may assume that gcd(x, y) = 1. Since n2 y − n2 x > 0, √ √ √ 2 2 n2 ≤ n2 y − n2 x ≤ ( q + 1) − ( q − 1) = 4 q. Since x, y|n2 , we have xy|n2 , hence xy ≤ n2 . Therefore, √ x2 ≤ xy ≤ n2 ≤ 4 q, which implies that √ √ 1/2 √ 2 ( q − 1) ≤ n2 x ≤ (4 q) (4 q) . √

2 But q − 1 > 8q 3/4 when q ≥ 4613. Therefore, we must have q ≤ 4612. The values of q ≤ 4612 can be checked on a computer to get a much smaller list of possibilities for q. However, we can speed up the search with the following observations.

112

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

√

2 √

√ q − 1 ≤ n2 x ≤ 4 qx implies that x > q − 2 /4. Second, √

2 √

2 y 2 ≤ n2 y ≤ q + 1 . Third, xy 2 = (xy)y ≤ n2 y ≤ q + 1 . Finally, n1 |q − 1 (by Corollary 3.11), so x, y|q − 1. Therefore, we should look for values of q ≤ 4612 that are primes or prime powers and such that q − 1 has divisors x, y with First,

1. gcd(x, y) = 1

√ √ q − 2 /4 < x < y ≤ q + 1 2. √

2 q+1 . 3. xy 2 ≤ The values of q for which such x, y exist are those on the list in the statement of the theorem, plus the five values q = 49, 81, 121, 169, 841. Therefore, for all other q, a number n2 cannot have two possible values x, y for n1 , so n1 is uniquely determined. We need to eliminate the remaining five values. For example, consider q = 49. One solution is x = 2, y = 3, n2 = 18, which corresponds to #E(Fq ) = √

2 q−1 , 36 and 54. By Theorem 4.4, or by Exercise 4.14, if #E(Fq ) = then E(Fq )  Z√q−1 ⊕ Z√q−1 . Therefore, if #E(F49 ) = 36, we must have n1 = n2 = 6. This arises from x = 2 after multiplying by 3 (recall that we removed d = gcd(x, y) from x, y in order to make them relatively prime). Multiplying y = 3 by d = 3 yields n1 = 9, n2 = 6, which does not satisfy n1 |n2 . Therefore, the solution x = 2, y = 3 for q = 49 is eliminated. Similarly, all solutions for all of the five values q = 49, 81, 121, 169, 841 can be eliminated. This completes the proof. .

4.3.4 Baby Step, Giant Step Let P ∈ E(Fq ). We want to find the order of P . First, we want to find an integer k such that kP = ∞. Let #E(Fq ) = N . By Lagrange’s theorem, √ N P = ∞. Of course, we might not know N yet, but we know that q+1−2 q ≤ √ N ≤ q + 1 + 2 q. We could try all values of N in this range and see which √ ones satisfy N P = ∞. This takes around 4 q steps. However, it is possible to speed this up to around 4q 1/4 steps by the following algorithm. 1. Compute Q = (q + 1)P . 2. Choose an integer m with m > q 1/4 . Compute and store the points jP for j = 0, 1, 2, . . . , m. 3. Compute the points Q + k(2mP ) for k = −m, −(m − 1), . . . , m

SECTION 4.3

DETERMINING THE GROUP ORDER

113

until there is a match Q + k(2mP ) = ±jP with a point (or its negative) on the stored list. 4. Conclude that (q + 1 + 2mk ∓ j)P = ∞. Let M = q + 1 + 2mk ∓ j. 5. Factor M . Let p1 , . . . , pr be the distinct prime factors of M . 6. Compute (M/pi )P for i = 1, . . . , r. If (M/pi )P = ∞ for some i, replace M with M/pi and go back to step (5). If (M/pi )P = ∞ for all i then M is the order of the point P . 7. If we are looking for the #E(Fq ), then repeat steps (1)-(6) with randomly chosen points in E(Fq ) until the least common multiple of the √ √ orders divides only one integer N with q + 1 − 2 q ≤ N ≤ q + 1 + 2 q. Then N = #E(Fq ). There are two points that must be addressed. I. Assuming that there is a match, this method clearly produces an integer that annihilates P . But why is there a match? LEMMA 4.20 Let a be an integer with |a| ≤ 2m2 . There exist integers a0 and a1 with −m < a0 ≤ m and −m ≤ a1 ≤ m such that a = a0 + 2ma1 . PROOF Then

Let a0 ≡ a (mod 2m), with −m < a0 ≤ m and a1 = (a − a0 )/2m. |a1 | ≤ (2m2 + m)/2m < m + 1.

Let a = a0 + 2ma1 be as in the lemma and let k = −a1 . Then Q + k(2mP ) = (q + 1 − 2ma1 )P = (q + 1 − a + a0 )P = N P + a0 P = a0 P = ±jP, where j = |a0 |. Therefore, there is a match. II. Why does step (6) yield the order of P ? LEMMA 4.21 Let G be an additive group (with identity element 0) and let g ∈ G. Suppose M g = 0 for some positive integer M . Let p1 , . . . , pr be the distinct primes dividing M . If (M/pi )g = 0 for all i, then M is the order of g.

114

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

PROOF Let k be the order of g. Then k|M . Suppose k = M . Let pi be a prime dividing M/k. Then pi k|M , so k|(M/pi ). Therefore, (M/pi )g = 0, contrary to assumption. Therefore k = M . Therefore, step (6) finds the order of P . REMARK 4.22 (1) To save storage space, it might be more efficient to store only the x coordinates of the points jP (along with the corresponding integer j), since looking for a match with ±jP only requires the x-coordinate (assuming we are working with a Weierstrass equation). When a match is found, the two possible y-coordinates can be recomputed. (2) Computing Q + k(2mP ) can be done by computing Q and 2mP once for all. To get from Q + k(2mP ) to Q + (k + 1)(2mP ), simply add 2mP rather than recomputing everything. Similarly, once jP has been computed, add P to get (j + 1)P . (3) We are assuming that we can factor M . If not, we can at least find all the small prime factors pi and check that (M/pi )P = ∞ for these. Then M will be a good candidate for the order of P . (4) Why is the method called “Baby Step, Giant Step”? The baby steps are from a point jP to (j + 1)P . The giant steps are from a point k(2mP ) to (k + 1)(2mP ), since we take the “bigger” step 2mP . Example 4.11 Let E be the elliptic curve y 2 = x3 − 10x + 21 over F557 , as in Example 4.7. Let P = (2, 3). We follow the procedure above. 1. Q = 558P = (418, 33). 2. Let m = 5, which is greater than 5571/4 . The list of jP is ∞, (2, 3), (58, 164), (44, 294), (56, 339), (132, 364). 3. When k = 1, we have Q + k(2mP ) = (2, 3), which matches the point on our list for j = 1. 4. We have (q + 1 + 2mk − j)P = 567P = ∞. 5. Factor 567 = 34 · 7. Compute (567/3)P = 189P = ∞. We now have 189 as a candidate for the order of P . 6. Factor 189 = 33 7. Compute (189/3)P = (38, 535) = ∞ and (189/7)P = (136, 360) = ∞. Therefore 189 is the order of P . As pointed out in Example 4.7, this suffices to determine that #E(F557 ) = 567.

SECTION 4.4 A FAMILY OF CURVES

115

4.4 A Family of Curves In this section we give an explicit formula for the number of points in E(Fp ), where E is the elliptic curve y 2 = x3 − kx, and k ≡ 0 (mod p). Counting the points on this curve mod a prime p has a long history, going back at least to Gauss. THEOREM 4.23 Let p be an odd prime and let k ≡ 0 (mod p). Let Np = #E(Fp ), where E is the elliptic curve y 2 = x3 − kx. 1. If p ≡ 3 (mod 4), then Np = p + 1. 2. If p ≡ 1 (mod 4), write p = a2 + b2 , where a, b are integers with b even and a + b ≡ 1 (mod 4). Then ⎧ ⎨ p + 1 − 2a if k is a fourth power mod p Np = p + 1 + 2a if k is a square mod p but not a 4th power mod p ⎩ p + 1 ± 2b if k is not a square mod p. The proof of the theorem will take the rest of this section. The integer a is uniquely determined by the conditions in the theorem, and b is uniquely determined up to sign. When k is not a square mod p, the proof below does not determine the sign of b. This is a much more delicate problem and we omit it. Example 4.12 Let p = 61 = (−5)2 + 62 , where we chose the negative sign on 5 so that −5 + 6 ≡ 1 (mod 4). Since k = 1 is a fourth power, the number of points on y 2 = x3 − x is p + 1 − 2(−5) = 72. It is well known that every prime p ≡ 1 (mod 4) is a sum of two squares (this follows from Proposition 4.27 below). The next lemma shows that a and b are uniquely determined up to order and sign. LEMMA 4.24 Suppose p is prime and a, b, c, d are integers such that a2 + b2 = p = c2 + d2 . Then a = ±c and b = ±d, or a = ±d and b = ±c.

116

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

PROOF We have (a/b)2 +1 ≡ 0 ≡ (c/d)2 +1 (mod p), so a/b ≡ ±(c/d). By changing the sign of c if necessary, we may assume that a/b ≡ c/d (mod p), hence ad − bc ≡ 0 (mod p). A quick calculation shows that p2 = (ac + bd)2 + (bc − ad)2 .

(4.2)

Suppose ad = bc. Then (4.2) implies that ac + bd = ±p, so ±ap = a2 c + abd = a2 c + b2 c = pc. Hence, ±a = c. It follows that b = ±d. Now suppose ad = bc. Since ad − bc ≡ 0 (mod p), we have (ad − bc)2 ≥ p2 . Since (ac + bd)2 ≥ 0, it follows from (4.2) that ad − bc = ±p and ac + bd = 0. Therefore, ±cp = acd − bc2 = −bd2 − bc2 = −bp, so c = ±b. This implies that d = ±a. If we require that a is odd and b is even, then a and b are uniquely determined up to sign. Suppose b ≡ 2 (mod 4). Then a + b ≡ 1 (mod 4) for a unique choice of the sign of a. Similarly, if b ≡ 0 (mod 4), there is a unique choice of the sign of a that makes a + b ≡ 1 (mod 4). Therefore, the integer a in the lemma is uniquely determined by p if we require that a is odd and a + b ≡ 1 (mod 4). The main part of the proof of Theorem 4.23 involves the case p ≡ 1 (mod 4), so let’s treat the case p ≡ 3 (mod 4) first. The main point is that −1 is not a square mod p (Proof: if x2 ≡ −1, then 1 ≡ xp−1 ≡ (x2 )(p−1)/2 ≡ (−1)(p−1)/2 ≡ (−1)odd = −1, contradiction). Moreover, a nonsquare times a nonsquare is a square mod p. Therefore x3 − kx is a nonzero square mod p if and only if (−x)3 − k(−x) = −(x3 − kx) is not a square mod p. Let’s count points on E. Whenever x3 − kx = 0, we obtain one point (x, 0). For the remaining values of x, we pair up x and −x. One of these gives two points (the one that makes x3 − kx a square) and the other gives no points. Therefore, each pair x, −x gives two points. Therefore, we obtain a total of p points. The point ∞ gives one more, so we have p + 1 points. Now assume p ≡ 1 (mod 4). The proof, which takes the rest of this section, involves several steps and counts the points in terms of Jacobi sums. Rather than count the points on E directly, we make the transformation (see Theorem 2.17) 4(v + 1) 2(v + 1) , y= , x= u2 u3 which changes E into the curve C given by v 2 = (k/4)u4 + 1. The inverse transformation is u=

2x , y

v = −1 +

2x3 . y2

SECTION 4.4 A FAMILY OF CURVES

117

We’ll count the points on C mod p. First, there are a few special points for the transformation from E to C. The point ∞ on E corresponds to (0, 1) on C. The point (0, 0) on E corresponds to (0, −1) on C (see √ Theorem 2.17). If k is a square mod p, then the two 2-torsion points (± k, 0) correspond to the point at infinity on C. Therefore, #E(Fp ) = #{(u, v) ∈ Fp × Fp | v 2 = (k/4)u4 + 1} + δ, 

where δ=

2 if k is a square mod p 0 if not.

Let g be a primitive root mod p, which means that j F× p = {g | 0 ≤ j < p − 1}.

Let i =

√

−1 ∈ C. Define χ2 (g j ) = (−1)j

and

χ4 (g j ) = ij .

Then χ2 and χ4 can be regarded as homomorphisms from F× p to {±1, ±i}. Note that χ24 = χ2 . The following lemma gets us started. LEMMA 4.25 Let p ≡ 1 (mod 4) be prime and let x ∈ F× p . Then #{u ∈

F× p

2

| u = x} =

1

χ2 (x)
,


=0

and 4 #{u ∈ F× p | u = x} =

3

χ4 (x)
.


=0

PROOF Since p ≡ 1 (mod 4), there are 4 fourth roots of 1 in F× p . There4 fore, if there is a solution to u ≡ x, there are 4 solutions. Write x ≡ g j (mod p). Then x is a fourth power mod p if and only if j ≡ 0 (mod 4). We have  3 3



4 if j ≡ 0 (mod 4)
j
χ4 (x) = i = 0 if j ≡ 0 (mod 4),
=0


=0

which is exactly the number of u with u4 ≡ x. This proves the second half of the lemma. The proof of the first half is similar. If, instead, we sum over the elements of F× p , we have the following result.

118

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

LEMMA 4.26 Let p ≡ 1 (mod 4) be prime. Then 

p−1
χ4 (b) = 0 ×

if if

b∈Fp

 ≡ 0 (mod 4)  ≡ 0 (mod 4).

PROOF If  ≡ 0 (mod 4), all the terms in the sum are 1, so the sum is p − 1. If  ≡ 0 (mod 4), then χ4 (g)
= 1. Multiplying by g permutes the elements of F× p , so



χ4 (g)
χ4 (b)
= χ4 (gb)
= χ4 (c)
, b∈F× p

b∈F× p

c∈F× p

which is the original sum. Since χ4 (g)
= 1, the sum must be 0. Define the Jacobi sums by J(χj2 , χ
4 ) =



χ2 (a)j χ4 (1 − a)
.

× a∈Fp a=1

PROPOSITION 4.27 J(χ2 , χ24 ) = −1 and |J(χ2 , χ4 )|2 = p. PROOF

The first equality is proved as follows.



J(χ2 , χ24 ) = χ2 (a)χ4 (1 − a)2 = χ2 (a)χ2 (1 − a), a=0,1

× a∈Fp a=1

since χ24 = χ2 . Since χ2 (a) = ±1, we have χ2 (a) = χ2 (a)−1 so the sum equals  



1−a χ2 (a)−1 χ2 (1 − a) = χ2 . a a=0,1

a=0,1

The map x → 1 − x1 gives a permutation of the set of x ∈ Fp , x = 0, 1. Therefore, letting c = 1 − 1/a, we obtain  



1 −1 = χ2 χ2 (−c) = −χ2 (−1), a a=0,1

c=0,1

by Lemma 4.26. Since g (p−1)/2 ≡ −1 (mod p) (both have order 2 in the cyclic group F× p ), we have 1 = (±1)2 = χ2 (g (p−1)/4 )2 = χ2 (g (p−1)/2 ) = χ2 (−1).

119

SECTION 4.4 A FAMILY OF CURVES

This yields the first equality of the proposition. To prove the second equality, multiply the Jacobi sum by its complex conjugate to obtain



χ2 (a)χ4 (1 − a) χ2 (b)χ4 (1 − b) |J(χ2 , χ4 )|2 = a=0,1

=



a=0,1 b=0,1

χ2

a b

b=0,1



χ4

1−a 1−b

 .

We have used the fact that χ4 (x) = χ4 (x)−1 . We now need the following. LEMMA 4.28 Let S = {(x, y) | x, y ∈ F× p ; x, y = 1; x = y}. The map   x 1−x , σ : (x, y) → y 1−y is a permutation of S. PROOF Let c = x/y and d = (1 − x)/(1 − y). Then x = 0 yields c = 0 and x = 1 yields d = 0. The assumption that x = y yields c, d = 1 and c = d. Therefore, (c, d) ∈ S. To show that σ is surjective, let c, d ∈ S. Let d−1 d−1 , y= . d−c d−c It is easily verified that (c, d) ∈ S implies (x, y) ∈ S and that σ(x, y) = (c, d). x=c

Returning to the proof of the proposition, we find that a 1 − a

a 1 − a

2 |J(χ2 , χ4 )| = χ2 χ2 χ4 + χ4 b 1−b b 1−b a=b (a,b)∈S

χ2 (c)χ4 (d) = (p − 2) + (c,d)∈S

= (p − 2) +



⎛

χ4 (d) ⎝

d=0,1

= (p − 2) +



d=0,1

⎞ χ2 (c) − χ2 (1) − χ2 (d)⎠

c∈F× p

χ4 (d)(0 − 1 − χ4 (d)2 )

d=0,1

= (p − 2) −



χ4 (d) −



χ4 (d)3

d=0,1

= (p − 2) + χ4 (1) + χ4 (1)3 = p.

120

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

This completes the proof of the second equality of Proposition 4.27. We now show that the number of points on v 2 = (k/4)u4 + 1 can be expressed in terms of Jacobi sums. By separating out the terms with u = 0 and the terms with v = 0, we obtain that the number of points is #{v | v 2 = 1} + #{u | u4 = −4/k} +



#{v | v 2 = a} #{u | u4 = −4b/k}

a+b=1 a,b=0

=

1

χ2 (1)j +

j=0

=

1

3


=0

χ2 (1)j +

j=0

+

3

a+b=1 a,b=0

χ4 (−4/k)
+


=0



1

1



χ4 (−4/k)
+

j=0

3



χ2 (a)j

3

χ4 (−4b/k)



=0

χ4 (−4b/k)


b=0,1
=0

χ2 (a)j − (p − 2)

a=0,1 j=0

+χ4 (−4/k)2 J(χ2 , χ24 ) + χ4 (−4/k)J(χ2 , χ4 ) + χ4 (−4/k)3 J(χ2 , χ34 ) (Separate out the terms with j = 0 and  = 0. These yield the sums over  and over j, respectively. The terms with j =  = 0, which sum to p − 2, are counted twice, so subtract p − 2. The terms with j,  = 0 contribute to the Jacobi sums.) =

1



χ2 (a)j +

j=0 a=0

3



χ4 (−4b/k)
− (p − 2)


=0 b=0

−χ2 (−4/k) + χ4 (−4/k)J(χ2 , χ4 ) + χ4 (−4/k)3 J(χ2 , χ34 ) = (p − 1) + (p − 1) − (p − 2) −χ2 (−4/k) + χ4 (−4/k)J(χ2 , χ4 ) + χ4 (−4/k)3 J(χ2 , χ34 ) (by Lemma 4.26) = p + 1 − δ + χ4 (−4/k)J(χ2 , χ4 ) + χ4 (−4/k)3 J(χ2 , χ34 ). For the last equality, we used the fact that  0 if k is not a square 1 + χ2 (−4/k) = 1 + χ2 (1/k) = 2 if k is a square mod p,

121

SECTION 4.4 A FAMILY OF CURVES

hence 1 + χ2 (−4/k) = δ. Therefore, #E(Fp ) = #{(u, v) ∈ Fp × Fp | v 2 = (k/4)u4 + 1} + δ = p + 1 − α − α, where α = −χ4 (−4/k)J(χ2 , χ4 ) ∈ Z[i]. If we write α = a + bi, then α + α = 2a. Proposition 4.27 implies that a2 + b2 = p, so we have almost proved Theorem 4.23. It remains to evaluate a mod 4. Let x1 + y1 i, x2 + y2 i ∈ Z[i]. We say that x1 + y1 i ≡ x2 + y2 i (mod 2 + 2i) if (x1 − x2 ) + (y1 − y2 )i = (x3 + y3 i)(2 + 2i) for some x3 +y3 i ∈ Z[i]. Clearly −2i ≡ 2 (mod 2+2i). Since 2i−2 = i(2+2i) and −2 = 2 + (−1 + i)(2 + 2i), we have 2i ≡ 2 ≡ −2 ≡ −2i

(mod 2 + 2i).

It follows easily that 2χ4 (a) ≡ 2

(mod 2 + 2i)

(4.3)

for all a. Since p − 1 is a multiple of 4 = (1 − i)(2 + 2i), we have p ≡ 1 (mod 2 + 2i). LEMMA 4.29 Let p ≡ 1 (mod 4) be prime. Then J(χ2 , χ4 ) ≡ −1 PROOF

(mod 2 + 2i).

Let S = {x ∈ F× p | x = 1}. Let τ : S → S,

x →

x . x−1

It is easy to check that τ (τ (x)) = x for all x ∈ S and that x = 2 is the only value of x such that τ (x) = x. Put the elements of S, other than 2, into pairs (x, τ (x)). Note that if x is paired with y = τ (x), then y is paired with τ (y) = τ (τ (x)) = x. This divides S into (p − 3)/2 pairs plus the element 2, which is not in a pair. We have

χ2 (a)χ4 (1 − a) = J(χ2 , χ4 ) = a=0,1

χ2 (2)χ4 (1 − 2) +

 (a,τ (a))

 χ2 (a)χ4 (1 − a) + χ2

a a−1



 χ4 1 −

a a−1

 ,

122

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

where the sum is over pairs (a, τ (a)). Note that since χ2 χ4 = χ−1 4 , we have     a χ4 (−1) a χ2 (a) χ2 χ4 1 − = a−1 a−1 χ2 (a − 1) χ4 (a − 1) = χ2 (a)χ4 (−1)χ4 (a − 1) = χ2 (a)χ4 (1 − a). Therefore, since χ2 (2) = χ4 (2)2 = χ4 (4),

J(χ2 , χ4 ) = χ4 (−4) + 2 χ2 (a)χ4 (1 − a) (a,τ (a))

≡ χ4 (−4) +



2

(by (4.3))

(a,τ (a))

≡ χ4 (−4) + (p − 3) ≡ χ4 (−4) − 2

(mod 2 + 2i).

Suppose p ≡ 1 (mod 8). Since g (p−1)/2 ≡ −1 (mod p), we have that −1 is a fourth power. It is well known that 2 is a square mod p if and only if p ≡ ±1 (mod 8) (this is one of the supplementary laws for quadratic reciprocity and is covered in most elementary number theory texts). Therefore 4 is a fourth power when p ≡ 1 (mod 8). It follows that χ4 (−4) = 1. Now suppose p ≡ 5 (mod 8). Then 2 is not a square mod p, so 2 ≡ g j (mod p) with j odd. Therefore −4 ≡ g 2j+(p−1)/2

(mod p).

Since 2j ≡ 2 (mod 4) and (p − 1)/2 ≡ 2 (mod 4), it follows that −4 is a fourth power mod p. Therefore, χ4 (−4) = 1. In both cases, we obtain J(χ2 , χ4 ) ≡ χ4 (−4) − 2 ≡ −1 (mod 2 + 2i). Since we just proved that χ4 (−4) = 1, the lemma implies that α = −χ4 (−4/k)J(χ2 , χ4 ) = −χ4 (1/k)J(χ2 , χ4 ) ≡ χ4 (k)3

(mod 2 + 2i).

LEMMA 4.30 Let α = x + yi ∈ Z[i]. 1. If α ≡ 1 (mod 2 + 2i), then x is odd and x + y ≡ 1 (mod 4). 2. If α ≡ −1 (mod 2 + 2i), then x is odd and x + y ≡ 3 (mod 4). 3. If α ≡ ±i (mod 2 + 2i), then x is even. PROOF Suppose α ≡ 1 (mod 2 + 2i), so α − 1 = (u + iv)(2 + 2i) for some u, v. Since (1 − i)(2 + 2i) = 4, we have (x + y − 1) + (y + 1 − x)i = (1 − i)(α − 1) = 4u + 4vi.

SECTION 4.5 SCHOOF’S ALGORITHM

123

Therefore, x + y ≡ 1 (mod 4) and x − y ≡ 1 (mod 4). It follows that y is even. This proves (1). The proofs of (2) and (3) are similar. If k is a fourth power mod p, then χ4 (k) = 1, so α ≡ 1 (mod 2 + 2i). The lemma yields α = a + bi with b even and a + b ≡ 1 (mod 4). This proves part of part (2) of Theorem 4.23. The other parts are proved similarly. This completes the proof of Theorem 4.23.

4.5 Schoof ’s Algorithm In 1985, Schoof [97] published an algorithm for computing the number of points on elliptic curves over finite fields Fq that runs much faster than existing algorithms, at least for very large q. In particular, it requires at most a constant times log8 q bit operations, in contrast to the q 1/4 used in Baby Step, Giant Step, for example. Subsequently, Atkin and Elkies refined and improved Schoof’s method (see Section 12.4). It has now been used successfully when q has several hundred decimal digits. In the following, we’ll give Schoof’s method. For details of the method of Atkins and Elkies, see [12] and [99]. For other methods for counting points, see [60] and [94]. Suppose E is an elliptic curve given by y 2 = x3 + Ax + B over Fq . We know, by Hasse’s theorem, that #E(Fq ) = q + 1 − a,

√ with |a| ≤ 2 q.

Let S = {2, 3, 5, 7, . . . , L} be a set of primes such that 

√  > 4 q.


∈S

 If we can determine a mod  for each prime  ∈ S, then we know a mod , and therefore a is uniquely determined. Let  be prime. For simplicity, we assume  = p, where p is the characteristic of Fq . We also assume that q is odd. We want to compute a (mod ). If  = 2, this is easy. If x3 + Ax + B has a root e ∈ Fq , then (e, 0) ∈ E[2] and (e, 0) ∈ E(Fq ), so E(Fq ) has even order. In this case, q + 1 − a ≡ 0 (mod 2), so a is even. If x3 + Ax + B has no roots in Fq , then E(Fq ) has no points of order 2, and a is odd. To determine whether x3 + Ax + B has a root in Fq , we could try all the elements in Fq , but there is a faster way. Recall (see Appendix C) that the roots of xq − x are exactly the elements of Fq . Therefore, x3 + Ax + B has a root in Fq if and only if it has a root in common with xq − x. The Euclidean algorithm, applied to polynomials, yields the gcd of the two polynomials.

124

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

If q is very large, the polynomial xq has very large degree. Therefore, it is more efficient to compute xq ≡ xq (mod x3 + Ax + B) by successive squaring (cf. Section 2.2), and then use the result to compute gcd(xq − x, x3 + Ax + B) = gcd(xq − x, x3 + Ax + B). If the gcd is 1, then there is no common root and a is odd. If the gcd is not 1, then a is even. This finishes the case  = 2. 2 In the following, various expressions such as xq and xq will be used. They will always be computed mod a polynomial in a manner similar to that just done in the case  = 2 In Section 3.2, we defined the division polynomials ψn . When n is odd, ψn is a polynomial in x and, for (x, y) ∈ E(Fq ), we have (x, y) ∈ E[n] ⇐⇒ ψn (x) = 0. These polynomials play a crucial role in Schoof’s algorithm. Let φq be the Frobenius endomorphism (not to be confused with the polynomials φn from Section 3.2, which are not used in this section), so φq (x, y) = (xq , y q ). By Theorem 4.10, φ2q − aφq + q = 0. Let (x, y) be a point of order . Then 

2

xq , y q

2



+ q(x, y) = a (xq , y q ) .

Let q
≡ q

(mod ),

|q
| < /2.

Then q(x, y) = q
(x, y), so 

2

xq , y q

2



+ q
(x, y) = a (xq , y q ) .

Since (xq , y q ) is also a point of order , this relation determines a mod . The idea is to compute all the terms except a in this relation, then determine a value of a that makes the relation hold. Note that if the relation holds for one point (x, y) ∈ E[], then we have determined a (mod ); hence, it holds for all (x, y) ∈ E[].   2

Assume first that xq , y q

2

def

(x , y  ) =

= ±q
(x, y) for some (x, y) ∈ E[]. Then



2

xq , y q

2



+ q
(x, y) = ∞,

125

SECTION 4.5 SCHOOF’S ALGORITHM

 2 2 so a ≡ 0 (mod ). In this case, the x-coordinates of xq , y q and q
(x, y) are distinct, so the sum of the two points is found by the formula using the line through the two points, rather than a tangent line or a vertical line. Write j(x, y) = (xj , yj ) for integers j. We may compute xj and yj using division polynomials, as in Section 3.2. Moreover, xj = r1,j (x) and yj = r2,j (x)y, as on page 47. We have  2 2 2 y q − yq
 − xq − xq
. x = 2 q x − xq
Writing 2  2  2 2 y q − yq
= y 2 y q −1 − r2,q
(x)  2 2 = (x3 + Ax + B) (x3 + Ax + B)(q −1)/2 − r2,q
(x) , and noting that xq
is a function of x, we change x into a rational function of x. We want to find j such that (x , y  ) = (xqj , yjq ). First, we look at the x-coordinates. Starting with (x, y) ∈ E[], we have (x , y  ) = ±(xqj , yjq ) if and only if x = xqj . As pointed out above, if this happens for one point in E[], it happens for all (finite) points in E[]. Since the roots of ψ
are the x-coordinates of the points in E[], this implies that x − xqj ≡ 0 (mod ψ
)

(4.4)

(this means that the numerator of x − xqj is a multiple of ψ
). We are using here the fact that the roots of ψ
are simple (otherwise, we would obtain only that ψ
divides some power of x −xqj ). This is proved by noting that there are 2 − 1 distinct points of order , since  is assumed not to be the characteristic of Fq . There are (2 − 1)/2 distinct x-coordinates of these points, and all of them are roots of ψ
, which has degree (2 − 1)/2. Therefore, the roots of ψ
must be simple. Assume now that we have found j such that (4.4) holds. Then (x , y  ) = ±(xqj , yjq ) = (xqj , ±yjq ). To determine the sign, we need to look at the y-coordinates. Both y  /y and yjq /y can be written as functions of x. If (y  − yjq )/y ≡ 0

(mod ψ
),

then a ≡ j (mod ). Otherwise, a ≡ −j (mod ). Therefore, we have found a (mod ).

126

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

 2 2 It remains to consider the case where xq , y q = ±q(x, y) for all (x, y) ∈

E[]. If

 2 2 φ2q (x, y) = xq , y q = q(x, y),

then

aφq (x, y) = φ2q (x, y) + q(x, y) = 2q(x, y),

hence

a2 q(x, y) = a2 φ2q (x, y) = (2q)2 (x, y).

Therefore, a2 q ≡ 4q 2 (mod ), so q is a square mod . If q is not a square mod , then we cannot be in this case. If q is a square mod , let w2 ≡ q (mod ). We have (φq + w)(φq − w)(x, y) = (φ2q − q)(x, y) = ∞ for all (x, y) ∈ E[]. Let P be any point in E[]. Then either (φq − w)P = ∞, so φq P = wP , or P  = (φq − w)P is a finite point with (φq + w)P  = ∞. Therefore, in either case, there exists a point P ∈ E[] with φq P = ±wP . Suppose there exists a point P ∈ E[] such that φq P = wP . Then ∞ = (φ2q − aφq + q)P = (q − aw + q)P, so aw ≡ 2q ≡ 2w2 (mod ). Therefore, a ≡ 2w (mod ). Similarly, if there exists P such that φq P = −wP , then a ≡ −2w (mod ). We can check whether we are in this case as follows. We need to know whether or not (xq , y q ) = ±w(x, y) = ±(xw , yw ) = (xw , ±yw ) for some (x, y) ∈ E[]. Therefore, we compute xq − xw , which is a rational function of x. If gcd(numerator(xq − xw ), ψ
) = 1, then there is some (x, y) ∈ E[] such that φq (x, y) = ±w(x, y). If this happens, then use the y-coordinates to determine the sign. Why do we use the gcd rather than simply checking whether we have 0 mod ψ
? The gcd checks for the existence of one point. Looking for 0 (mod ψ
) checks if the relation holds for all points simultaneously. The problem is that we are not guaranteed that φq P = ±wP for all P ∈ E[]. For example, the matrix representing φq on E[] might not be diagonalizable. It might w 1 be . In this case, the eigenvectors for φq form a one-dimensional 0 w subspace. q  gcd(numerator(x − xw ), ψ
) = 1, thenwe cannot  be in the case  If we have 2

xq , y q

2

2

= q(x, y), so the only remaining case is xq , y q (φ2q

2

= −q(x, y). In

this case, aP = + q)P = ∞ for all P ∈ E[]. Therefore, a ≡ 0 (mod ). We summarize Schoof’s algorithm as follows. We start with an elliptic curve E over Fq given by y 2 = x3 +Ax+B. We want to compute #E(Fq ) = q+1−a.

SECTION 4.5 SCHOOF’S ALGORITHM

127

1.  Choose a set of primes S = {2, 3, 5, . . . , L} (with p ∈ S) such that √
∈S  > 4 q. 2. If  = 2, we have a ≡ 0 (mod 2) if and only if gcd(x3 +Ax+B, xq −x) = 1. 3. For each odd prime  ∈ S, do the following. (a) Let q
≡ q (mod ) with |q
| < /2. (b) Compute the x-coordinate x of  2 2 (x , y  ) = xq , y q + q
(x, y) mod ψ
. (c) For j = 1, 2, . . . , ( − 1)/2, do the following. i. Compute the x-coordinate xj of (xj , yj ) = j(x, y). ii. If x − xqj ≡ 0 (mod ψ
), go to step (iii). If not, try the next value of j (in step (c)). If all values 1 ≤ j ≤ ( − 1)/2 have been tried, go to step (d). iii. Compute y  and yj . If (y  − yjq )/y ≡ 0 (mod ψ
), then a ≡ j (mod ). If not, then a ≡ −j (mod ). (d) If all values 1 ≤ j ≤ ( − 1)/2 have been tried without success, let w2 ≡ q (mod ). If w does not exist, then a ≡ 0 (mod ). (e) If gcd(numerator(xq − xw ), ψ
) = 1, then a ≡ 0 (mod ). Otherwise, compute gcd(numerator((y q − yw )/y), ψ
). If this gcd is not 1, then a ≡ 2w (mod ). Otherwise, a ≡ −2w (mod ).  4. Use the knowledge of a (mod ) for each  ∈ S to compute a (mod ). Choose the value of a that satisfies this congruence and such that |a| ≤ √ 2 q. The number of points in E(Fq ) is q + 1 − a. Example 4.13 Let E be the elliptic curve y 2 = x3 + 2x + 1 mod 19. Then #E(F19 ) = 19 + 1 − a. We want to determine a. We’ll show ⎧ ⎨1 a≡ 2 ⎩ 3

that (mod 2) (mod 3) (mod 5).

128

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

Putting these together yields a ≡ 23 (mod 30). √ Since |a| < 2 19 < 9, we must have a = −7. We start with  = 2. We compute x19 ≡ x2 + 13x + 14

(mod x3 + 2x + 1)

by successive squaring (cf. Section 2.2) and then use the result to compute gcd(x19 − x, x3 + 2x + 1) = gcd(x2 + 12x + 14, x3 + 2x + 1) = 1. It follows that x3 + 2x + 1 has no roots in F19 . Therefore, there is no 2-torsion in E(F19 ), so a ≡ 1 (mod 2). For  = 3, we proceed as in Schoof’s algorithm and eventually get to j = 1. We have q 2 = 361 and we have q ≡ 1 (mod 3). Therefore, q
= 1 and we need to check whether (x361 , y 361 ) + (x, y) = ±(x19 , y 19 ) for (x, y) ∈ E[3]. The third division polynomial is ψ3 = 3x4 + 12x2 + 12x − 4. We compute the x-coordinate of (x361 , y 361 ) + (x, y): 

y 361 − y x361 − x

2

− x361 − x = (x3 + 2x + 1)



(x3 + 2x + 1)180 − 1 x361 − x

2

− x361 − x,

where we have used the relation y 2 = x3 + 2x + 1. We need to reduce this mod ψ3 . The natural way to start is to use the extended Euclidean algorithm to find the inverse of x361 − x (mod ψ3 ). However, gcd(x361 − x, ψ3 ) = x − 8 = 1, so the multiplicative inverse does not exist. We could remove x − 8 from the numerator and denominator of (x3 + 2x + 1)180 − 1 , x361 − x but this is unnecessary. Instead, we realize that since x = 8 is a root of ψ3 , the point (8, 4) ∈ E(F19 ) has order 3. Therefore, #E(F19 ) = 19 + 1 − a ≡ 0

(mod 3),

so a ≡ 2 (mod 3). For  = 5, we follow Schoof’s algorithm, eventually arriving at j = 2. Note that 19 ≡ 4 ≡ −1 (mod 5),

129

SECTION 4.5 SCHOOF’S ALGORITHM

so q
= −1 and 19(x, y) = −(x, y) = (x, −y) for all (x, y) ∈ E[5]. We need to check whether ? def def (x , y  ) = (x361 , y 361 ) + (x, −y) = ±2(x19 , y 19 ) = ±(x , y  )

for all (x, y) ∈ E[5]. The recurrence of Section 3.2 shows that the fifth division polynomial is ψ5 = 32(x3 + 2x + 1)2 (x6 + 10x4 + 20x3 − 20x2 − 8x − 8 − 8) − ψ33

= 5x12 + 10x10 + 17x8 + 5x7 + x6 + 9x5 + 12x4 + 2x3 + 5x2 + 8x + 8.

The equation for the x-coordinates yields x =



y 361 + y x361 − x

2

?

− x361 − x ≡



3x38 + 2 2y 19

2

− 2x19 = x

(mod ψ5 ).

When y 2 is changed to x3 + 2x + 1, this reduces to a polynomial relation in x, which is then verified. Therefore, a ≡ ±2 (mod 5). To determine the sign, we look at the y-coordinates. The y-coordinate of (x , y  ) = (x361 , y 361 ) + (x, −y) is computed to be y(9x11 + 13x10 + 15x9 + 15x7 + 18x6 + 17x5 + 8x4 + 12x3 + 8x + 6)

(mod ψ5 ).

The y-coordinate of (x , y  ) = 2(x, y) is y(13x10 + 15x9 + 16x8 + 13x7 + 8x6 + 6x5 + 17x4 + 18x3 + 8x + 18)

(mod ψ5 ).

A computation yields 19

(y  + y  )/y ≡ 0

(mod ψ5 ).

This means that 19

19

(x , y  ) ≡ (x , −y  ) = −2(xq , y q ) (mod ψ5 ). It follows that a ≡ −2 (mod 5). As we showed above, the information from  = 2, 3, 5 is sufficient to yield a = −7. Therefore, #E(F19 ) = 27.

130

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

4.6 Supersingular Curves An elliptic curve E in characteristic p is called supersingular if E[p] = {∞}. In other words, there are no points of order p, even with coordinates in an algebraically closed field. Supersingular curves have many interesting properties, some of which we’ll discuss in the present section. Note: Supersingular curves are not singular curves in the sense of Section 2.4. The term “singular” was used classically to describe the j-invariants of elliptic curves with endomorphism rings larger than Z. These rings usually are subrings of quadratic extensions of the rationals. The term “supersingular” refers to j-invariants of curves with even larger rings of endomorphisms, namely, subrings of quaternion algebras. These ideas will be discussed in Chapter 10. The following result is useful because it gives a simple way of determining whether or not an elliptic curve over a finite field is supersingular. PROPOSITION 4.31 Let E be an elliptic curve over Fq , where q is a power of the prime number p. Let a = q + 1 − #E(Fq ). Then E is supersingular if and only if a ≡ 0 (mod p), which is if and only if #E(Fq ) ≡ 1 (mod p). PROOF

Write X 2 − aX + q = (X − α)(X − β). Theorem 4.12 implies that #E(Fqn ) = q n + 1 − (αn + β n ).

Lemma 4.13 says that sn = αn + β n satisfies the recurrence relation s0 = 2,

s1 = a,

sn+1 = asn − qsn−1 .

Suppose a ≡ 0 (mod p). Then s1 = a ≡ 0 (mod p), and sn+1 ≡ 0 (mod p) for all n ≥ 1 by the recurrence. Therefore, #E(Fqn ) = q n + 1 − sn ≡ 1

(mod p),

so there are no points of order p in E(Fqn ) for any n ≥ 1. Since Fq = ∪n≥1 Fqn , there are no points of order p in E(Fq ). Therefore, E is supersingular. Now suppose a ≡ 0 (mod p). The recurrence implies that sn+1 ≡ asn (mod p) for n ≥ 1. Since s1 = a, we have sn ≡ an (mod p) for all n ≥ 1. Therefore #E(Fqn ) = q n + 1 − sn ≡ 1 − an (mod p). By Fermat’s little theorem, ap−1 ≡ 1 (mod p). Therefore, E(Fqp−1 ) has order divisible by p, hence contains a point of order p. This means that E is not supersingular.

SECTION 4.6 SUPERSINGULAR CURVES

131

For the last part of the proposition, note that #E(Fq ) ≡ q + 1 − a ≡ 1 − a (mod p), so #E(Fq ) ≡ 1 (mod p) if and only if a ≡ 0 (mod p). COROLLARY 4.32 Suppose p ≥ 5 is a prime and E is defined over Fp . Then E is supersingular if and only if a = 0, which is the case if and only if #E(Fp ) = p + 1. PROOF If a = 0, then E is supersingular, by the proposition. Conversely, suppose E is supersingular but a = 0. Then a ≡ 0 (mod p) implies that √ √ |a| ≥ p. By Hasse’s theorem, |a| ≤ 2 p, so we have p ≤ 2 p. This means that p ≤ 4. When p = 2 or p = 3, there are examples of supersingular curves with a = 0. See Exercise 4.7. For general finite fields Fq , it can be shown that if E defined over Fq is supersingular, then a2 is one of 0, q, 2q, 3q, 4q. See [98], [80], or Theorem 4.3. In Section 3.1, we saw that the elliptic curve y 2 + a3 y = x3 + a4 x + a6 in characteristic 2 is supersingular. Also, in characteristic 3, the curve y 2 = x3 + a2 x2 + a4 x + a6 is supersingular if and only if a2 = 0. Here is a way to construct supersingular curves in many other characteristics. PROPOSITION 4.33 Suppose q is odd and q ≡ 2 (mod 3). Let B ∈ F× q . Then the elliptic curve E given by y 2 = x3 + B is supersingular. × 3 PROOF Let ψ : F× q → Fq be the homomorphism defined by ψ(x) = x . × Since q − 1 is not a multiple of 3, there are no elements of order 3 in Fq , so the kernel of ψ is trivial. Therefore, ψ is injective, hence must be surjective since it is a map from a finite group to itself. In particular, every element of Fq has a unique cube root in Fq . For each y ∈ Fq , there is exactly one x ∈ Fq such that (x, y) lies on the curve, namely, x is the unique cube root of y 2 − B. Since there are q values of y, we obtain q points. Including the point ∞ yields

#E(Fq ) = q + 1. Therefore, E is supersingular. Later (Theorem 4.34), we’ll see how to obtain all supersingular elliptic curves over an algebraically closed field.

132

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

An attractive feature of supersingular curves is that computations involving an integer times a point can sometimes be done faster than might be expected. Suppose E is a supersingular elliptic curve defined over Fq and let P = (x, y) be a point in E(Fqn ) for some n ≥ 1. Usually n is large. Let k be a positive integer. We want to compute kP . This can be done quickly by successive doubling, but it is possible to do even better. Let’s assume that a = 0. Then φ2q + q = 0 by Theorem 4.10. Therefore   2 2 q(x, y) = −φ2q (x, y) = xq , −y q . 2

2

The calculations of xq and y q involve finite field arithmetic, which is generally faster than elliptic curve calculations. Moreover, if x and y are expressed 2 2 in terms of a normal basis of Fqn over Fq , then xq and y q are computed by shift operations (see Appendix C). The procedure is now as follows: 1. Expand k in base q: k = k0 + k1 q + k2 q 2 + · · · + kr q r , with 0 ≤ ki < q. 2. Compute ki P = (xi , yi ) for each i. 2i

2i

3. Compute q i ki P = (xqi , (−1)i yiq ). 4. Sum the points q i ki P for 0 ≤ i ≤ r. The main savings is in step (3), where elliptic curve calculations are replaced by finite field computations. We now show how to obtain all supersingular curves over Fq . Note that supersingularity means that there are no points of order p with coordinates in the algebraic closure; hence, it is really a property of an elliptic curve over an algebraically closed field. If we have two elliptic curves E1 and E2 defined over a field such that E1 can be transformed into E2 by a change of variables defined over some extension field, then E1 is supersingular if and only if E2 is supersingular. For example, in Proposition 4.33, the curve y12 = x31 + B can be changed into y22 = x32 + 1 via x2 = x1 /B 1/3 , y2 = y1 /B 1/2 . Therefore, it would have sufficed to prove the proposition for the curve y 2 = x3 + 1. Recall (Section 2.5.1) that an elliptic curve E over an algebraically closed field of characteristic not 2 can be put into the Legendre form y 2 = x(x − 1)(x − λ) with λ = 0, 1.

SECTION 4.6 SUPERSINGULAR CURVES

133

THEOREM 4.34 Let p be an odd prime. Define the polynomial 2 (p−1)/2 

(p − 1)/2 T i. Hp (T ) = i i=0 The elliptic curve E given by y 2 = x(x−1)(x−λ) with λ ∈ Fp is supersingular if and only if Hp (λ) = 0. PROOF Since Fp = ∪n≥1 Fpn , we have λ ∈ Fq = Fpn for some n. So E is defined over Fq . To determine supersingularity, it suffices to count points in E(Fq ), by Proposition 4.31. We know (Exercise 4.4) that   x = x(q−1)/2 Fq in Fq . Therefore, by Theorem 4.14,

(q−1)/2 #E(Fq ) = q + 1 + (x(x − 1)(x − λ)) , x∈Fq

where this is now an equality in Fq . The integers in this formula are regarded as elements of Fp ⊆ Fq . The following lemma allows us to simplify the sum. LEMMA 4.35 Let i > 0 be an integer. Then 

0 xi = −1 x∈Fq

if q − 1
i if q − 1|i.

PROOF If q − 1|i then xi = 1 for all nonzero x, so the sum equals q − 1, which equals −1 in Fq . The group F× q is cyclic of order q − 1. Let g be a generator. Then every nonzero element of Fq can be written in the form g j with 0 ≤ j ≤ q − 2. Therefore, if q − 1
i,

xi = 0 +

x∈Fq

x∈F× q

xi =

q−2 q−2



(g i )q−1 − 1 = 0, (g j )i = (g i )j = gi − 1 j=0 j=0

since g q−1 = 1. Expand (x(x − 1)(x − λ))(q−1)/2 into a polynomial of degree 3(q − 1)/2. There is no constant term, so the only term xi with q − 1|i is xq−1 . Let Aq be the coefficient of xq−1 . By the lemma,

(x(x − 1)(x − λ))(q−1)/2 = −Aq , x∈Fq

134

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

since all the powers of x except for xq−1 sum to 0. Therefore, #E(Fq ) = 1 − Aq

in Fq .

By Proposition 4.31, E is supersingular if and only if Aq = 0 in Fq . The following lemma allows us to relate Aq to Ap . LEMMA 4.36 Let f (x) = x3 + c2 x2 + c1 x + c0 be a cubic polynomial with coefficients in a r field of characteristic p. For each r ≥ 1, let Apr be the coefficient of xp −1 in r f (x)(p −1)/2 . Then 2 +···+pr−1 Apr = A1+p+p . p PROOF

We have r

r

(f (x)(p−1)/2 )p = (x3(p−1)/2 + · · · + Ap xp−1 + · · · )p r

= x3(p−1)p

/2

r

r

+ · · · + App xp

(p−1)

+ ··· .

Therefore, r+1

f (x)(p

−1)/2

r

= f (x)(p r

= (x3(p

−1)/2

−1)/2

pr

f (x)(p−1)/2

r

+ · · · + Apr xp

3(p−1)pr /2

·(x



+ ··· +

−1

+ ···)

r r App xp (p−1)

+ · · · ).

r+1

To obtain the coefficient of xp −1 , choose indices i and j with i + j = pr+1 − 1, multiply the corresponding coefficients from the first and second factors in the above product, and sum over all such pairs i, j. A term with 0 ≤ i ≤ 3(pr − 1)/2 from the first factor requires a term with 3 pr+1 − 1 ≥ j ≥ (pr+1 − 1) − (pr − 1) > (p − 2)pr 2 from the second factor. Since all of the exponents in the second factor are multiples of pr , the only index j in this range that has a nonzero exponent is j = (p − 1)pr . The corresponding index i is pr − 1. The product of the coefficients yields r Apr+1 = Apr App . The formula of the lemma is trivially true for r = 1. It now follows by an easy induction for all r. From the lemma, we now see that E is supersingular if and only if Ap = 0. This is significant progress, since Ap depends on p but not on which power of p is used to get q.

SECTION 4.6 SUPERSINGULAR CURVES

135

It remains to express Ap as a polynomial in λ. The coefficient Ap of xp−1 in (x(x − 1)(x − λ))(p−1)/2 is the coefficient of x(p−1)/2 in ((x − 1)(x − λ))(p−1)/2 . By the binomial theorem, (x − 1)(p−1)/2 =

(p − 1)/2 i

(x − λ)(p−1)/2 =

i

(p − 1)/2 j

j

xi (−1)(p−1)/2−i x(p−1)/2−j (−λ)j .

The coefficient Ap of x(p−1)/2 in (x − 1)(p−1)/2 (x − λ)(p−1)/2 is (p−1)/2

(−1)

(p−1)/2 



k=0

(p − 1)/2 k

2

λk = (−1)(p−1)/2 Hp (λ).

Therefore, E is supersingular if and only if Hp (λ) = 0. This completes the proof of Theorem 4.34. It is possible to use the method of the preceding proof to determine when certain curves are supersingular. PROPOSITION 4.37 Let p ≥ 5 be prime. Then the elliptic curve y 2 = x3 + 1 over Fp is supersingular if and only if p ≡ 2 (mod 3), and the elliptic curve y 2 = x3 + x over Fp is supersingular if and only if p ≡ 3 (mod 4). PROOF The coefficient of xp−1 in (x3 + 1)(p−1)/2 is 0 if p ≡ 2 (mod 3)



≡ (since we only get exponents that are multiples of 3), and is (p−1)/2 (p−1)/3 0 (mod p) when p ≡ 1 (mod 3) (since the binomial coefficient contains no factors of p). Since the coefficient of xp−1 is zero mod p if and only if the curve is supersingular, this proves the first part. The coefficient of xp−1 in (x3 + x)(p−1)/2 is the coefficient of x(p−1)/2 in 2 (x + 1)(p−1)/2 . All exponents appearing in this last expression are even, so x(p−1)/2 doesn’t appear when p ≡ 3 (mod 4). When p ≡ 1 (mod 4),



≡ 0 (mod p). This proves the second part of the the coefficient is (p−1)/2 (p−1)/4 proposition. If E is an elliptic curve defined √ over Z with complex multiplication (see Chapter 10) by a subring of Q( −d), and p is an odd prime number not dividing d for which E (mod p) is an elliptic curve, then E (mod p) is supersingular if and only if −d is not a square mod p. Therefore, for such an E,

136

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

the curve E (mod p) is supersingular for approximately half of the primes. In the √ proposition, the curve y 2 = x3 + 1 has complex multiplication by Z[(1 + −3)/2], and −3 is a square mod p if and only √ if p ≡ 1 (mod 3). The curve y 2 = x3 + x has complex multiplication by Z[ −1], and −1 is a square mod p if and only if p ≡ 1 (mod 4). If E does not have complex multiplication, the set of primes for which E (mod p) is supersingular is much more sparse. Elkies [37] proved in 1986 that, for each E, the set of such primes is infinite. Wan [126], improving on an argument of Serre, showed that, for each > 0, the number of such p < x for which E (mod p) is supersingular is less than C x/ ln2− (x) for some constant C depending on . Since the number of primes less than x is approximately x/ ln x, this shows that substantially less than half of the primes are supersingular for E. It has been conjectured √ by Lang and Trotter that the number of supersingular p is asymptotic to C  x/ ln x (as x → ∞) for some constant C  depending on E. This has been shown to be true “on the average” by Fouvry and Murty [39]. We now change our viewpoint and fix p and count supersingular E over Fp . This essentially amounts to counting distinct zeros of Hp (T ). The values λ = 0, 1 are not allowed in the Legendre form of an elliptic curve. Moreover, they also don’t appear as zeros of Hp (T ). It is easy to see that Hp (0) = 1. For Hp (1), observe that the coefficient of x(p−1)/2 in (x + 1)p−1 = (x + 1)(p−1)/2 (x + 1)(p−1)/2 is



p−1 (p − 1)/2

 =

(p − 1)/2 (p − 1)/2  = Hp (1), k (p − 1)/2 − k k

n p−1 (use the identity nk = n−k ). Since (p−1)/2 contains no factors p, it is nonzero mod p. Therefore, Hp (1) = 0. PROPOSITION 4.38 Hp (T ) has (p − 1)/2 distinct roots in Fp . PROOF

We claim that

4T (1 − T )Hp (T ) + 4(1 − 2T )Hp (T ) − Hp (T ) ≡ 0 (mod p). Write Hp (T ) =



k bk T

k

(4.5)

. The coefficient of T k on the left side of (4.5) is

4(k + 1)kbk+1 − 4k(k − 1)bk + 4(k + 1)bk+1 − 8kbk − bk = 4(k + 1)2 bk+1 − (2k + 1)2 bk .

SECTION 4.6 SUPERSINGULAR CURVES

137

Using the fact that  2 (p − 1)/2 k+1  2 ((p − 1)/2)! = (k + 1)!(((p − 1)/2) − k − 1)!  2 ((p − 1)/2) − k = bk , k+1

bk+1 =

we find that the coefficient of T k is   2 4 (((p − 1)/2) − k) − (2k + 1)2 bk = p(p − 2 − 4k)bk ≡ 0

(mod p).

This proves the claim. Suppose now that Hp (λ) = 0 with λ ∈ Fp . Since Hp (0) = 0 and Hp (1) = 0, we have λ = 0, 1. Write Hp (T ) = (T −λ)r G(T ) for some polynomial G(T ) with G(λ) = 0. Suppose r ≥ 2. In (4.5), we have (T − λ)r−1 dividing the last term and the middle term, but only (T − λ)r−2 divides the term 4T (1 − T )Hp (T ). Since the sum of the three terms is 0, this is impossible, so we must have r = 1. Therefore, λ is a simple root. (Technical point: Since the degree of Hp (T ) is less than p, we have r < p, so the first term of the derivative Hp (T ) = r(r − 1)(T − λ)r−2 G(T ) + 2r(T − λ)r−1 G (T ) + (T − λ)r G (T ) does not disappear in characteristic p. Hence (T − λ)r−1 does not divide the first term of (4.5).) REMARK 4.39 The differential equation 4.5 is called a Picard-Fuchs differential equation. For a discussion of this equation in the study of families of elliptic curves in characteristic 0, see [24]. Once we know that Hp (T ) satisfies this differential equation, the simplicity of the roots follows from a characteristic p version of the uniqueness theorem for second order differential equations. If λ is a multiple root of Hp (T ), then Hp (λ) = Hp (λ) = 0. Such a uniqueness theorem would say that Hp (T ) must be identically 0, which is a contradiction. Note that we must avoid λ = 0, 1 because of the coefficient T (1 − T ) for Hp (T ). COROLLARY 4.40 Let p ≥ 5 be prime. The number of j ∈ Fp that occur as j-invariants of supersingular elliptic curves is p + p , 12 where p = 0, 1, 1, 2 if p ≡ 1, 5, 7, 11 (mod 12), respectively.

138

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

PROOF

The j-invariant of y 2 = x(x − 1)(x − λ) is 28

(λ2 − λ + 1)3 λ2 (λ − 1)2

(see Exercise 2.13), so the values of λ yielding a given j are roots of the polynomial Pj (λ) = 28 (λ2 − λ + 1)3 − jλ2 (λ − 1)2 . The discriminant of this polynomial is 230 (j−1728)3 j 4 , which is nonzero unless j = 0 or 1728. Therefore, there are 6 distinct values of λ ∈ Fp corresponding to each value of j = 0, 1728. If one of these λ’s is a root of Hp (T ), then all six must be roots, since the corresponding elliptic curves are all the same (up to changes of variables), and therefore all or none are supersingular. Since the degree of Hp (T ) is (p − 1)/2, we expect approximately (p − 1)/12 supersingular j-invariants, with corrections needed for the cases when at least one of j = 0 or j = 1728 is supersingular. When j = 0, the polynomial Pj (λ) becomes 28 (λ2 − λ + 1)3 , so there are two values of λ that give j = 0. When j = 1728, the polynomial becomes 28 (λ − 2)2 (λ − 12 )2 (λ + 1)2 , so there are three values of λ yielding j = 1728. A curve with j-invariant 0 can be put into the form y 2 = x3 + 1 over an algebraically closed field. Theorem 4.34 therefore tells us that when p ≡ 2 (mod 3), the two λ’s yielding j = 0 are roots of Hp (T ). Similarly, when p ≡ 3 (mod 4), the three λ yielding j = 1728 are roots of Hp (T ). Putting everything together, the total count of roots of Hp (T ) is 6 · #{supersingular j = 0, 1728} + 2δ2(3) + 3δ3(4) = deg Hp (T ) = (p − 1)/2, where δi(j) = 1 if p ≡ i (mod j) and = 0 otherwise. Suppose that p ≡ 5 (mod 12). Then δ2(3) = 1 and δ3(4) = 0, so the number of supersingular j = 0, 1728 is p−1 1  p  − = . 12 3 12 Adding 1 for the case j = 0 yields the number given in the proposition. The other cases of p (mod 12) are similar. Example 4.14 When p = 23, we have H23 (T ) = (T − 3)(T − 8)(T − 21)(T − 11)(T − 13)(T − 16) ·(T − 2)(T − 12)(T + 1)(T 2 − T + 1) (this is a factorization over F23 ). The first 6 factors correspond to 1 λ λ−1 1 , , }, {λ, , 1 − λ, λ 1−λ λ−1 λ

EXERCISES

139

with λ = 3, hence to the curve y 2 = x(x − 1)(x − 3). The next three factors correspond to j = 1728, hence to the curve y 2 = x3 + x. The last factor corresponds to j = 0, hence to y 2 = x3 + 1. Therefore, we have found the three supersingular curves over F23 . Of course, over F23 , there are different forms of these curves. For example, y 2 = x3 + 1 and y 2 = x3 + 2 are different curves over F23 , but are the same over F23 . Example 4.15 When p = 13, H13 (T ) ≡ (T 2 + 4T + 9)(T 2 + 12T + 3)(T 2 + 7T + 1). √ The six roots correspond to one value of j. Since λ = −2 + 8 is a root of the first factor, the corresponding elliptic curve is √ y 2 = x(x − 1)(x + 2 − 8).

√ The appearance of a square root such as 8 is fairly common. It is possible to show that a supersingular curve over a perfect field of characteristic p must have its j-invariant in Fp2 (see [109, Theorem V.3.1]). Therefore, a supersingular elliptic curve over Fq can always be transformed via a change of variables (over Fq ) into a curve defined over Fp2 .

Exercises 4.1 Let E be the elliptic curve y 2 = x3 + x + 1 (mod 5). (a) Show that 3(0, 1) = (2, 1) on E. (b) Show that (0, 1) generates E(F5 ). (Use the fact that E(F5 ) has order 9 (see Example 4.1), plus the fact that the order of any element of a group divides the order of the group.) 4.2 Let E be the elliptic curve y 2 + y = x3 over F2 . Show that  n 2 + 1 if n is odd #E(F2n ) = 2n + 1 − 2(−2)n/2 if n is even. 4.3 Let Fq be a finite field with q odd. Since F× q is cyclic of even order q − 1, half of the elements of F× q are squares and half are nonsquares.

140

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

(a) Let u ∈ Fq . Show that

x + u = 0. Fq

x∈Fq

(b) Let f (x) = (x − r)2 (x − s), where r, s ∈ Fq with q odd. Show that  

 f (x)  r−s =− . Fq Fq x∈Fq

(Hint: If x = r, then (x − r)2 (x − s) is a square exactly when x − s is a square.) 4.4 Let x ∈ Fq with q odd. Show that   x = x(q−1)/2 Fq as elements of Fq . (Remark: Since the exponentiation on the right can be done quickly, for example, by successive squaring (this is the multiplicative version of the successive doubling in Section 2.2), this shows that the generalized Legendre symbol can be calculated quickly. Of course, the classical Legendre symbol can also be calculated quickly using quadratic reciprocity.) 4.5 Let p ≡ 1 (mod 4) be prime and let E be given by y 2 = x3 − kx, where k ≡ 0 (mod p). (a) Use Theorem 4.23 to show that #E(Fp ) is a multiple of 4 when k is a square mod p. (b) Show that when k is a square mod p, then E(Fp ) contains 4 points P satisfying 2P = ∞. Conclude again that #E(Fp ) is a multiple of 4. (c) Show that when k is not a square mod p, then E(Fp ) contains no points of order 4. (d) Let k be a square but not a fourth power mod p. Show that exactly one of the curves y 2 = x3 − x and y 2 = x3 − kx has a point of order 4 defined over Fp . 4.6 Let E be an elliptic curve over Fq and suppose E(Fq )  Zn ⊕ Zmn . (a) Use the techniques of the proof of Proposition 4.16 to show that q = mn2 + kn + 1 for some integer k.

EXERCISES

141

√ (b) Use Hasse’s theorem in the form a2 ≤ 4q to show that |k| ≤ 2 m. Therefore, if m is fixed, q occurs as the value of one of finitely many quadratic polynomials. (c) The prime number theorem implies that the number of prime powers less than x is approximately x/ ln x. Use this to show that most prime powers do not occur as values of the finite list of polynomials in (b). √ √ (d) Use Hasse’s theorem to show that mn ≥ m( q − 1). (e) Show that if m ≥ 17 and q is sufficiently large (q ≥ 1122 suffices), √ then E(Fq ) has a point of order greater than 4 q. (f) Show that for most values of q, an elliptic curve over Fq has a point √ of order greater than 4 q. 4.7 (a) Let E be defined by y 2 + y = x3 + x over F2 . Show that #E(F2 ) = 5. (b) Let E be defined by y 2 = x3 −x+2 over F3 . Show that #E(F3 ) = 1. (c) Show that the curves in (a) and (b) are supersingular, but that, in each case, a = p + 1 − #E(Fp ) = 0. This shows that the restriction to p ≥ 5 is needed in Corollary 4.32. 4.8 Let p ≥ 5 be prime. Use Theorem 4.23 to prove Hasse’s theorem for the elliptic curve given by y 2 = x3 − kx over Fp . 4.9 Let E be an elliptic curve over Fq with q = p2m . Suppose that #E(Fq ) = √ q + 1 − 2 q. (a) Let φq be the Frobenius endomorphism. Show that (φq −pm )2 = 0. (b) Show that φq − pm = 0 (Hint: Theorem 2.22). (c) Show that φq acts as the identity on E[pm − 1], and therefore that E[pm − 1] ⊆ E(Fq ). (d) Show that E(Fq )  Zpm −1 ⊕ Zpm −1 . 4.10 Let E be an elliptic curve over Fq with q odd. Write #E(Fq ) = q+1−a. (d) be the twist of E, as in Exercise 2.23. Show Let d ∈ F× q and let E that   d a. #E (d) (Fq ) = q + 1 − Fq (Hint: Use Exercise 2.23(c) and Theorem 4.14.) 4.11 Let Fq be a finite field of odd characteristic and let a, b ∈ Fq with a = ±2b and b = 0. Define the elliptic curve E by y 2 = x3 + ax2 + b2 x.

142

CHAPTER 4 ELLIPTIC CURVES OVER FINITE FIELDS

√ √ (a) Show that the points (b, b a + 2b) and (−b, −b a − 2b) have order 4. (b) Show that at least one of a + 2b, a − 2b, a2 − 4b2 is a square in Fq . (c) Show that if a2 − 4b2 is a square in Fq , then E[2] ⊆ E(Fq ). (d) (Suyama) Show that #E(Fq ) is a multiple of 4. 2

3

2

(e) Let E  be defined by y  = x − 2ax + (a2 − 4b2 )x . Show that E  [2] ⊆ E  (Fq ). Conclude that #E  (Fq ) is a multiple of 4. The curve E  is isogenous to E via (x , y  ) = (y 2 /x2 , y(b2 − x2 )/x2 ) (see the end of Section 8.6 and also Chapter 12). It can be shown that this implies that #E(Fq ) = #E  (Fq ). This gives another proof of the result of part (d). The curve E has been used in certain elliptic curve factorization implementations (see [19]). 4.12 Let p be a prime and let E be a supersingular elliptic curve over the finite field Fp . Let φp be the Frobenius endomorphism. Show that some power of φp is an integer. (Note: This is easy when p ≥ 5. The cases p = 2, 3 can be done by a case-by-case calculation.) 4.13 Let E be an elliptic curve over Fq . Show that Hasse’s theorem can be restated as      #E(Fq ) − √q  ≤ 1.   4.14 Let E be an elliptic curve over Fq . Assume that q = r2 for some integer r. Suppose that #E(Fq ) = (r − 1)2 . Let φ = φq be the qth power Frobenius endomorphism. 2

(a) Show that (φ − r) = 0. (b) Show that φ − r = 0. (Hint: A nonzero endomorphism is surjective on E(Fq ) by Theorem 2.22.) (c) Show that (r − 1)E(Fq ) = 0. (d) Show that E(Fq )  Zr−1 ⊕ Zr−1 . (e) Now suppose E  is an elliptic curve over Fq with #E  (Fq ) = (r+1)2 (where q = r2 ). Show that E  (Fq )  Zr+1 ⊕ Zr+1 .

Chapter 5 The Discrete Logarithm Problem Let p be a prime and let a, b be integers that are nonzero mod p. Suppose we know that there exists an integer k such that ak ≡ b

(mod p).

The classical discrete logarithm problem is to find k. Since k + (p − 1) is also a solution, the answer k should be regarded as being defined mod p − 1, or mod a divisor d of p − 1 if ad ≡ 1 (mod p). More generally, let G be any group, written multiplicatively for the moment, and let a, b ∈ G. Suppose we know that ak = b for some integer k. In this context, the discrete logarithm problem is again to find k. For example, G could be the multiplicative group F× q of a finite field. Also, G could be E(Fq ) for some elliptic curve, in which case a and b are points on E and we are trying to find an integer k with ka = b. In Chapter 6, we’ll meet several cryptographic applications of the discrete logarithm problem. The security of the cryptosystems will depend on the difficulty of solving the discrete log problem. One way of attacking a discrete log problem is simple brute force: try all possible values of k until one works. This is impractical when the answer k can be an integer of several hundred digits, which is a typical size used in cryptography. Therefore, better techniques are needed. In this chapter, we start by discussing an attack, called the index calculus, that can be used in F× p , and more generally in the multiplicative group of a finite field. However, it does not apply to general groups. Then we discuss the method of Pohlig-Hellman, the baby step, giant step method, and Pollard’s ρ and λ methods. These work for general finite groups, in particular for elliptic curves. Finally, we show that for special classes of elliptic curves, namely supersingular and anomalous curves, it is possible to reduce the discrete log problem to easier discrete log problems (in the multiplicative group of a finite field and in the additive group of integers mod a prime, respectively).

143

144

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

5.1 The Index Calculus Let p be a prime and let g be primitive root (see Appendix A) mod p, which means that g is a generator for the cyclic group F× p . In other words, every h ≡ 0 (mod p) can be written in the form h ≡ g k for some integer k that is uniquely determined mod p − 1. Let k = L(h) denote the discrete logarithm of h with respect to g and p, so g L(h) ≡ h

(mod p).

Suppose we have h1 and h2 . Then g L(h1 h2 ) ≡ h1 h2 ≡ g L(h1 )+L(h2 )

(mod p),

which implies that L(h1 h2 ) ≡ L(h1 ) + L(h2 ) (mod p − 1). Therefore, L changes multiplication into addition, just like the classical logarithm function. The index calculus is a method for computing values of the discrete log function L. The idea is to compute L() for several small primes , then use this information to compute L(h) for arbitrary h. It is easiest to describe the method with an example. Example 5.1 Let p = 1217 and g = 3. We want to solve 3k ≡ 37 (mod 1217). Most of our work will be precomputation that will be independent of the number 37. Let’s choose a set of small primes, called the factor base, to be B = {2, 3, 5, 7, 11, 13}. First, we find relations of the form 3x ≡ ±product of some primes in B

(mod 1217).

Eventually, we find the following: 31 ≡ 3 24

(mod 1217) 2

3 ≡ −2 · 7 · 13 325 ≡ 53 330 ≡ −2 · 52 354 ≡ −5 · 11 387 ≡ 13 These can be changed into equations for discrete logs, where now the congruences are all mod p−1 = 1216. Note that we already know that 3(p−1)/2 ≡ −1

SECTION 5.1 THE INDEX CALCULUS

145

(mod p), so L(−1) = 608. 1 ≡ L(3)

(mod 1216)

24 ≡ 608 + 2L(2) + L(7) + L(13) 25 ≡ 3L(5) 30 ≡ 608 + L(2) + 2L(5) 54 ≡ 608 + L(5) + L(11) 87 ≡ L(13) The first equation yields L(3) ≡ 1. The third yields L(5) ≡ 819 (mod 1216). The sixth yields L(13) ≡ 87. The fourth gives L(2) ≡ 30 − 608 − 2 · 819 ≡ 216

(mod 1216).

The fifth yields L(11) ≡ 54 − 608 − L(5) ≡ 1059. Finally, the second gives L(7) ≡ 24 − 608 − 2L(2) − L(13) ≡ 113

(mod 1216).

We now know the discrete logs of all the elements of the factor base. Recall that we want to solve 3k ≡ 37 (mod 1216). We compute 3j · 37 (mod p) for several random values of j until we obtain an integer that can be factored into a product of primes in B. In our case, we find that 316 · 37 ≡ 23 · 7 · 11

(mod 1217).

Therefore, L(37) ≡ 3L(2) + L(7) + L(11) − 16 ≡ 588

(mod 1216),

and 3588 ≡ 37 (mod 1217). The choice of the size of the factor base B is important. If B is too small, then it will be very hard to find powers of g that factor with primes in B. If B is too large, it will be easy to find relations, but the linear algebra needed to solve for the logs of the elements of B will be unwieldy. An example that was completed in 2001 by A. Joux and R. Lercier used the first 1 million primes to compute discrete logs mod a 120-digit prime. There are various methods that produce relations of the form g x ≡ product of primes in B. A popular one uses the number field sieve. See [58]. The expected running time of the index calculus is approximately a constant √ times exp( 2 ln p ln ln p) (see [81, p. 129]), which means that it is a subexponential algorithm. The algorithms in Section 5.2, which are√exponential √ algorithms, run in time approximately p = exp( 12 ln p). Since 2 ln p ln ln p is much smaller than 12 ln p for large p, the index calculus is generally much faster when it can be used.

146

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

Note that the index calculus depends heavily on the fact that integers can be written as products of primes. An analogue of this is not available for arbitrary groups. There is a generalization of the index calculus that works for finite fields, but it requires some algebraic number theory, so we do not discuss it here. In Section 13.4, we show how an analogue of the index calculus can be applied to groups arising from hyperelliptic curves.

5.2 General Attacks on Discrete Logs In this section, we discuss attacks that work for arbitrary groups. Since our main focus is elliptic curves, we write our group G additively. Therefore, we are given P, Q ∈ G and we are trying to solve kP = Q (we always assume that k exists). Let N be the order of G. Usually, we assume N is known. For simplicity, it is usually assumed that P generates G.

5.2.1 Baby Step, Giant Step

√ This method, developed by D. Shanks [107], requires approximately N √ steps and around N storage. Therefore it only works well for moderate sized N . The procedure is as follows. √ 1. Fix an integer m ≥ N and compute mP . 2. Make and store a list of iP for 0 ≤ i < m. 3. Compute the points Q − jmP for j = 0, 1, · · · m − 1 until one matches an element from the stored list. 4. If iP = Q − jmP , we have Q = kP with k ≡ i + jm (mod N ). Why does this work? Since m2 > N , we may assume the answer k satisfies 0 ≤ k < m2 . Write k = k0 + mk1 with k0 ≡ k (mod m) and 0 ≤ k0 < m and let k1 = (k − k0 )/m. Then 0 ≤ k1 < m. When i = k0 and j = k1 , we have Q − k1 mP = kP − k1 mP = k0 P, so there is a match. The point iP is calculated by adding P (a “baby step”) to (i − 1)P . The point Q − jmP is computed by adding −mP (a “giant step”) to Q − (j − 1)mP . The method was developed by Shanks for computations in algebraic number theory.

SECTION 5.2 GENERAL ATTACKS ON DISCRETE LOGS

147

Note that we did not need to know the exact order N of G. We only required an upper bound for N . Therefore, for elliptic curves over Fq , we √ could use this method with m2 ≥ q + 1 + 2 q, by Hasse’s theorem. A slight improvement of the method can be made for elliptic curves by computing and storing only the points iP for 0 ≤ i ≤ m/2 and checking whether Q − jmP = ±iP (see Exercise 5.1). Example 5.2 Let G = E(F41 ), where E is given by y 2 = x3 + 2x + 1. Let P = (0, 1) and Q = (30, 40). By Hasse’s theorem, we know that the order of G is at most 54, so we let m = 8. The points iP for 1 ≤ i ≤ 7 are (0, 1), (1, 39), (8, 23), (38, 38), (23, 23), (20, 28), (26, 9). We calculate Q − jmP for j = 0, 1, 2 and obtain (30, 40), (9, 25), (26, 9), at which point we stop since this third point matches 7P . Since j = 2 yielded the match, we have (30, 40) = (7 + 2 · 8)P = 23P. Therefore k = 23.

5.2.2 Pollard’s ρ and λ Methods A disadvantage of the Baby Step, Giant Step method is that it requires a lot of storage. Pollard’s ρ and λ methods [87] run in approximately the same time as Baby Step, Giant Step, but require very little storage. First, we’ll discuss the ρ method, then its generalization to the λ method. Let G be a finite group of order N . Choose a function f : G → G that behaves rather randomly. Then start with a random element P0 and compute the iterations Pi+1 = f (Pi ). Since G is a finite set, there will be some indices i0 < j0 such that Pi0 = Pj0 . Then Pi0 +1 = f (Pi0 ) = f (Pj0 ) = Pj0 +1 , and, similarly, Pi0 +
= Pj0 +
for all  ≥ 0. Therefore, the sequence Pi is periodic with period j0 − i0 (or possibly a divisor of j0 − i0 ). The picture describing this process (see Figure 5.1) looks like the Greek letter ρ, which is why it is called Pollard’s ρ method. If f is a randomly chosen random function (we’ll not make this √ precise), then we expect to find a match with j0 at most a constant times N . For an analysis of the running time for various choices of function f , see [119].

148

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

A naive implementation of√the method stores all the points Pi until a match is found. This takes around N storage, which is similar to Baby Step, Giant Step. However, as R. W. Floyd has pointed out, it is possible to do much better at the cost of a little more computation. The key idea is that once there is a match for two indices differing by d, all subsequent indices differing by d will yield matches. This is just the periodicity mentioned above. Therefore, we can compute pairs (Pi , P2i ) for i = 1, 2, . . . , but only keep the current pair; we don’t store the previous pairs. These can be calculated by the rules Pi+1 = f (Pi ),

P2(i+1) = f (f (P2i )).

Suppose i ≥ i0 and i is a multiple of d. Then the indices 2i and i differ by a multiple of d and hence yield a match: Pi = P2i . Since d ≤ j0 and i0 < j0 , it follows easily that there is a match for i ≤ j0 . Therefore, the number √ of steps to find a match is expected to be at most a constant multiple of N . Another method of finding a match is to store only those points Pi that satisfy a certain property (call them “distinguished points”). For example, we could require the last k bits of the binary representation of the x-coordinate to be 0. We then store, on the average, one out of every 2k points Pi . Suppose there is a match Pi = Pj but Pi is not one of these distinguished points. We expect Pi+
to be a distinguished point for some  with 1 ≤  ≤ 2k , approximately. Then Pj+
= Pi+
, so we find a match between distinguished points with only a little more computation. The problem remains of how to choose a suitable function f . Besides having f act randomly, we need to be able to extract useful information from a match. Here is one way of doing this. Divide G into s disjoint subsets S1 , S2 , . . . , Ss of approximately the same size. A good choice for s seems to be around 20. Choose 2s random integers ai , bi mod N . Let Mi = ai P + bi Q. Finally, define f (g) = g + Mi

if g ∈ Si .

The best way to think of f is as giving a random walk in G, with the possible steps being the elements Mi . Finally, choose random integers a0 , b0 and let P0 = a0 P +b0 Q be the starting point for the random walk. While computing the points Pj , we also record how these points are expressed in terms of P and Q. If Pj = uj P + vj Q and Pj+1 = Pj + Mi , then Pj+1 = (uj + ai )P + (vj + bi )Q, so (uj+1 , vj+1 ) = (uj , vj ) + (ai , bi ). When we find a match Pj0 = Pi0 , then we have uj0 P + vj0 Q = ui0 P + vi0 Q, hence (ui0 − uj0 )P = (vj0 − vi0 )Q. If gcd(vj0 − vi0 , N ) = d, we have k ≡ (vj0 − vi0 )−1 (ui0 − uj0 )

(mod N/d).

SECTION 5.2 GENERAL ATTACKS ON DISCRETE LOGS

149

P59
P6 P58
P5 P4 P3 P2 P1 P0 Figure 5.1

Pollard’s Rho Method This gives us d choices for k. Usually, d will be small, so we can try all possibilities until we have Q = kP . In cryptographic applications, N is often prime, in which case, d = 1 or N . If d = N , we have a trivial relation (the coefficients of both P and Q are multiples of N ), so we start over. If d = 1, we obtain k. Example 5.3 Let G = E(F1093 ), where E is the elliptic curve given by y 2 = x3 + x + 1. We’ll use s = 3. Let P = (0, 1) and Q = (413, 959). It can be shown that the order of P is 1067. We want to find k such that kP = Q. Let P0 = 3P + 5Q,

M0 = 4P + 3Q,

M1 = 9P + 17Q,

M2 = 19P + 6Q.

Let f : E(F1093 ) → E(F1093 ) be defined by f (x, y) = (x, y) + Mi

if x ≡ i

(mod 3).

Here the number x is regarded as an integer 0 ≤ x < 1093 and is then reduced mod 3. For example, f (P0 ) = P0 + M2 = (727, 589), since P0 = (326, 69) and 326 ≡ 2 (mod 3). We can define f (∞) = ∞ if we want. However, if we encounter f (∞), we have found a relation of the form aP + bQ = ∞ and can find k easily (if the relation isn’t something trivial like 1067P +2134Q = ∞). Therefore, we don’t worry about ∞.

150

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

If we compute P0 , P1 = f (P0 ), P2 = f (P1 ), . . . , we obtain P0 = (326, 69), P1 = (727, 589), P2 = (560, 365), P3 = (1070, 260), P4 = (473, 903), P5 = (1006, 951), P6 = (523, 938), . . . , P57 = (895, 337), P58 = (1006, 951), P59 = (523, 938), . . . . Therefore, the sequence starts repeating at P5 = P58 . If we keep track of the coefficients of P and Q in the calculations, we find that P5 = 88P + 46Q and P58 = 685P + 620Q. Therefore, ∞ = P58 − P5 = 597P + 574Q. Since P has order 1067, we calculate −574−1 597 ≡ 499

(mod 1067).

Therefore, Q = 499P , so k = 499. We stored all of the points P0 , P1 , . . . , P58 until we found a match. Instead, let’s repeat the computation, but compute the pairs (Pi , P2i ) and store nothing except the current pair. We then find that for i = 53 there is the match P53 = P106 . This yields 620P + 557Q = P53 = P106 = 1217P + 1131Q. Therefore, 597P + 574Q = ∞, which yields k = 499, as before. Pollard’s λ method uses a function f as in the ρ method, but several (1) (r) random starting points P0 , . . . , P0 are used. We then get sequences defined by (
) (
) Pi+1 = f (Pi ), 1 ≤  ≤ r, i = 0, 1, 2, . . . . These can be computed by several computers in parallel. Points satisfying certain conditions are called distinguished and are reported to a central computer. When a match is found among the inputs from the various computers, we have a relation that should allow us to solve the discrete log problem, as in the ρ method. When there is a match between two sequences, these two sequences will always match from that point on. We only need to look at distinguished points because distinguished points should occur soon after a match occurs. When there are only two random starting points, we have two random walks. Eventually they will have a point in common, and therefore they will coincide thereafter. The picture of this process resembles the Greek letter λ, hence the name. Sometimes the λ method is described in terms of kangaroos jumping around a field (this is the random walk). A variant of the λ method with two random

SECTION 5.2 GENERAL ATTACKS ON DISCRETE LOGS

151

walks records every 10th point, for example, in the first sequence and then checks whether the second sequence matches any of these points. In this case, the first sequence is called a tame kangaroo, and the second is called a wild kangaroo. The idea is to use the tame kangaroo to catch the wild kangaroo. √ The λ method is expected to find a match in at most a constant times N steps. If it is run in parallel with many starting points, the running time can be improved significantly. Finally, we should point out a difference between the baby step, giant step method and the ρ and λ methods. The baby step, giant step method is deterministic, which means√that it is guaranteed to finish within the predicted time of a constant times N . On the other hand, the ρ and λ methods are probabilistic, which means that there is a very high probability that they will finish within the predicted time, but this is not guaranteed.

5.2.3 The Pohlig-Hellman Method As before, P, Q are elements in a group G and we want to find an integer k with Q = kP . We also know the order N of P and we know the prime factorization
qiei N= i

of N . The idea of Pohlig-Hellman is to find k (mod qiei ) for each i, then use the Chinese Remainder theorem to combine these and obtain k (mod N ). Let q be a prime, and let q e be the exact power of q dividing N . Write k in its base q expansion as k = k0 + k1 q + k2 q 2 + · · · with 0 ≤ ki < q. We’ll evaluate k (mod q e ) by successively determining k0 , k1 , . . . , ke−1 . The procedure is as follows.     1. Compute T = j Nq P | 0 ≤ j ≤ q − 1 . 2. Compute

N q Q.

 This will be an element k0

N q P

 of T .

3. If e = 1, stop. Otherwise, continue. 4. Let Q1 = Q − k0 P . 5. Compute

N q 2 Q1 .

This will be an element k1



N q P

 of T .

6. If e = 2, stop. Otherwise, continue. 7. Suppose we have computed k0 , k1 , . . . , kr−1 , and Q1 , . . . , Qr−1 .

152

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

8. Let Qr = Qr−1 − kr−1 q r−1 P . 9. Determine kr such that

N q r+1 Qr

 = kr

N q P

 .

10. If r = e − 1, stop. Otherwise, return to step (7). Then k ≡ k0 + k1 q + · + ke−1 q e−1

(mod q e ).

Why does this work? We have N N Q = (k0 + k1 q + · · · )P q q N N = k0 P + (k1 + k2 q + · · · )N P = k0 P, q q since N P = ∞. Therefore, step (2) finds k0 . Then Q1 = Q − k0 P = (k1 q + k2 q 2 + · · · )P, so N N Q1 = (k1 + k2 q + · · · ) P 2 q q N N = k1 P + (k2 + k3 q + · · · )N P = k1 P. q q Therefore, we find k1 . Similarly, the method produces k2 , k3 , . . . . We have to stop after r = e − 1 since N/q e+1 is no longer an integer, and we cannot multiply Qe by the noninteger N/q e+1 . Besides, we do not need to continue because we now know k mod q e . Example 5.4 Let G = E(F599 ), where E is the elliptic curve given by y 2 = x3 + 1. Let P = (60, 19) and Q = (277, 239). The methods of Section 4.3.3 can be used to show that P has order N = 600. We want to solve Q = kP for k. The prime factorization of N is 600 = 23 · 3 · 52 . We’ll compute k mod 8, mod 3, and mod 25, then recombine to obtain k mod 600 (the Chinese Remainder Theorem allows us to do this). k mod 8. We compute T = {∞, (598, 0)}. Since   N P , (N/2)Q = ∞ = 0 · 2

SECTION 5.2 GENERAL ATTACKS ON DISCRETE LOGS

153

we have k0 = 0. Therefore, Q1 = Q − 0P = Q. Since (N/4)Q1 = 150Q1 = (598, 0) = 1 ·

N 2 P,

we have k1 = 1. Therefore,

Q2 = Q1 − 1 · 2 · P = (35, 243). Since (N/8)Q2 = 75Q2 = ∞ = 0 ·

N 2 P,

we have k2 = 0. Therefore,

k = 0 + 1 · 2 + 0 · 4 + · · · ≡ 2 (mod 8). k mod 3. We have T = {∞, (0, 1), (0, 598)}. Since (N/3)Q = (0, 598) = 2 ·

N P, 3

we have k0 = 2. Therefore, k ≡ 2 (mod 3). k mod 25. We have T = {∞, (84, 179), (491, 134), (491, 465), (84, 420)}. Since (N/5)Q = (84, 179), we have k0 = 1. Then Q1 = Q − 1 · P = (130, 129). Since (N/25)Q1 = (491, 465), we have k1 = 3. Therefore, k = 1 + 3 · 5 + · · · ≡ 16

(mod 25).

We now have the simultaneous congruences ⎧ ⎨ x ≡ 2 (mod 8) x ≡ 2 (mod 3) . ⎩ x ≡ 16 (mod 25) These combine to yield k ≡ 266 (mod 600), so k = 266. The Pohlig-Hellman method works well if all of the prime numbers dividing N are small. However, if q is a large prime dividing N , then it is difficult to list the elements of T , which contains q elements. We could try to find the ki without listing the elements; however, finding ki is a discrete log problem in the group generated by (N/q)P , which has order q. If q is of the same order of magnitude as N (for example, q = N or q = N/2), then the Pohlig-Hellman method is of little use. For this reason, if a cryptographic system is based on

154

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

discrete logs, the order of the group should be chosen so it contains a large prime factor. If N contains some small prime factors, then the Pohlig-Hellman method can be used to obtain partial information on the value of k, namely a congruence modulo a product of these small prime factors. In certain cryptographic situations, this could be undesirable. Therefore, the group G is often chosen to be of large prime order. This can be accomplished by starting with a group that has a large prime q in its order. Pick a random point P1 and compute its order. With high probability (at least 1 − 1/q; cf. Remark 5.2), the order of P1 is divisible by q, so in a few tries, we can find such a point P1 . Write the order of P1 as qm. Then P = mP1 will have order q. As long as q is sufficiently large, discrete log problems in the cyclic group generated by P will resist the Pohlig-Hellman attack.

5.3 Attacks with Pairings One strategy for attacking a discrete logarithm problem is to reduce it to an easier discrete logarithm problem. This can often be done with pairings such as the Weil pairing or the Tate-Lichtenbaum pairing, which reduce a discrete logarithm problem on an elliptic curve to one in the multiplicative group of a finite field.

5.3.1 The MOV Attack The MOV attack, named after Menezes, Okamoto, and Vanstone [80], uses the Weil pairing to convert a discrete log problem in E(Fq ) to one in F× qm . Since discrete log problems in finite fields can be attacked by index calculus methods, they can be solved faster than elliptic curve discrete log problems, as long as the field Fqm is not much larger than Fq . For supersingular curves, we can usually take m = 2, so discrete logarithms can be computed more easily for these curves than for arbitrary elliptic curves. This is unfortunate from a cryptographic standpoint since an attractive feature of supersingular curves is that calculations can often be done quickly on them (see Section 4.6). Recall that for an elliptic curve E defined over Fq , we let E[N ] denote the set of points of order dividing N with coordinates in the algebraic closure. If gcd(q, N ) = 1 and S, T ∈ E[N ], then the Weil pairing eN (S, T ) is an N th root of unity and can be computed fairly quickly. The pairing is bilinear, and if {S, T } is a basis for E[N ], then eN (S, T ) is a primitive N th root of unity. For any S, eN (S, S) = 1. For more properties of the Weil pairing, see Sections 3.3 and 11.2.

SECTION 5.3 ATTACKS WITH PAIRINGS

155

Let E be an elliptic curve over Fq . Let P, Q ∈ E(Fq ). Let N be the order of P . Assume that gcd(N, q) = 1. We want to find k such that Q = kP . First, it’s worthwhile to check that k exists. LEMMA 5.1 There exists k such that Q = kP if and only if N Q = ∞ and the Weil paring eN (P, Q) = 1. PROOF

If Q = kP , then N Q = kN P = ∞. Also, eN (P, Q) = eN (P, P )k = 1k = 1.

Conversely, if N Q = ∞, then Q ∈ E[N ]. Since gcd(N, q) = 1, we have E[N ] ZN ⊕ ZN , by Theorem 3.2. Choose a point R such that {P, R} is a basis of E[N ]. Then Q = aP + bR for some integers a, b. By Corollary 3.10, eN (P, R) = ζ is a primitive N th root of unity. Therefore, if eN (P, Q) = 1, we have 1 = eN (P, Q) = eN (P, P )a eN (P, R)b = ζ b . This implies that b ≡ 0 (mod N ), so bR = ∞. Therefore, Q = aP , as desired.

The idea used to prove the lemma yields the MOV attack on discrete logs for elliptic curves. Choose m so that E[N ] ⊆ E(Fqm ). Since all the points of E[N ] have coordinates in Fq = ∪j≥1 Fqj , such an m exists. By Corollary 3.11, the group µN of N th roots of unity is contained in Fqm . All of our calculations will be done in Fqm . The algorithm is as follows. 1. Choose a random point T ∈ E(Fqm ). 2. Compute the order M of T . 3. Let d = gcd(M, N ), and let T1 = (M/d)T . Then T1 has order d, which divides N , so T1 ∈ E[N ]. 4. Compute ζ1 = eN (P, T1 ) and ζ2 = eN (Q, T1 ). Then both ζ1 and ζ2 are in µd ⊆ F× qm . 5. Solve the discrete log problem ζ2 = ζ1k in F× q m . This will give k (mod d).

156

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

6. Repeat with random points T until the least common multiple of the various d’s obtained is N . This determines k (mod N ). REMARK 5.2 At first, it might seem that d = 1 will occur very often. However, the opposite is true because of the structure of E(Fqm ). Recall that E(Fqm ) Zn1 ⊕ Zn2 for some integers n1 , n2 with n1 |n2 (possibly, n1 = 1, in which case the group is cyclic). Then N |n2 , since n2 is the largest possible order of an element of the group. Let B1 , B2 be points of orders n1 , n2 , respectively, such that B1 , B2 generate E(Fqm ). Then T = a1 B1 + a2 B2 . Let e be a prime power dividing N . Then f |n2 with f ≥ e. If 
a2 , then f divides M , the order of T . Therefore, e |d = gcd(M, N ). Since the probability that 
a2 is 1 − 1/, the probability is at least this high that the full power e is in d. After a few choices of T , this should be the case. (Note that our probability estimates are low, since we never included the possible contribution of the a1 B1 term.) Therefore, a few iterations of the algorithm should yield k. Potentially, the integer m could be large, in which case the discrete log m − 1, is just as hard as the problem in the group F× q m , which has order q original discrete log problem in the smaller group E(Fq ), which has order approximately q, by Hasse’s theorem. However, for supersingular curves, we can usually take m = 2, as the next result shows. Let E be an elliptic curve over Fq , where q is a power of the prime number p. Then #E(Fq ) = q + 1 − a for some integer a. The curve E is called supersingular if a ≡ 0 (mod p). Corollary 4.32 says that this is equivalent to a = 0 when q = p ≥ 5. PROPOSITION 5.3 Let E be an elliptic curve over Fq and suppose a = q + 1 − #E(Fq ) = 0. Let N be a positive integer. If there exists a point P ∈ E(Fq ) of order N , then E[N ] ⊆ E(Fq2 ). PROOF The Frobenius endomorphism φq satisfies φ2q − aφq + q = 0. Since a = 0, this reduces to φ2q = −q. Let S ∈ E[N ]. Since #E(Fq ) = q + 1, and since there exists a point of order N , we have N |q + 1, or −q ≡ 1 (mod N ). Therefore φ2q (S) = −qS = 1 · S.

SECTION 5.3 ATTACKS WITH PAIRINGS

157

By Lemma 4.5, S ∈ E(Fq2 ), as claimed. Therefore, discrete log problems over Fq for supersingular curves with a = 0 can be reduced to discrete log calculations in F× q 2 . These are much easier. When E is supersingular but a = 0, the above ideas work, but possibly m = 3, 4, or 6 (see [80] and Exercise 5.12). This is still small enough to speed up discrete log computations.

5.3.2 The Frey-R¨ uck Attack Frey and R¨ uck showed that in some situations, the Tate-Lichtenbaum pairing τn can be used to solve discrete logarithm problems (see [41] and also [40]). First, we need the following. LEMMA 5.4 Let  be a prime with |q − 1, |#E(Fq ), and 2
#E(Fq ). Let P be a generator of E(Fq )[]. Then τ
(P, P ) is a primitive th root of unity. PROOF If τ
(P, P ) = 1, then τ
(uP, P ) = 1u = 1 for all u ∈ Z. Since τ
is nondegenerate, P ∈ E(Fq ). Write P = P1 . Then 2 P1 = P = ∞. Since 2
#E(Fq ), there are no points of order 2 . Therefore P1 must have order 1 or . In particular, P = P1 = ∞, which is a contradiction. Therefore τ
(P, P ) = 1, so it must be a primitive th root of unity. Let E(Fq ) and P be as in the lemma, and suppose Q = kP . Compute τ
(P, Q) = τ
(P, P )k . Since τ
(P, P ) is a primitive th root of unity, this determines k (mod ). We have therefore reduced the discrete log problem to one in the multiplicative group of the finite field Fq . Such discrete log problems are usually easier to solve. Therefore, to choose a situation where the discrete log problem is hard, we should choose a situation where there is a point of order , where  is a large prime, and such that 
q −1. In fact, we should arrange that q m ≡ 1 (mod ) for small values of m. Suppose E(Fq ) has a point of order n, but n
q − 1. We can extend our field to Fqm so that n|q m − 1. Then the Tate-Lichtenbaum pairing can be used. However, the following proposition from [9] shows, at least in the case n is prime, that the Weil pairing also can be used. PROPOSITION 5.5 Let E be an elliptic curve over Fq . Let  be a prime such that |#E(Fq ),

158

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

E[] ⊆ E(Fq ), and 
q(q − 1). Then E[] ⊆ E(Fqm ) if and only if q m ≡ 1 (mod ). PROOF If E[] ⊆ E(Fqm ), then µ
⊆ Fqm by Corollary 3.11, hence q m ≡ 1 (mod ). Conversely, suppose q m ≡ 1 (mod ). Let P ∈ E(Fq ) have order  and let Q ∈ E[] with Q ∈ E(Fq ). We claim that P and Q are independent points of order . If not, then uP = vQ for some integers u, v ≡ 0 (mod ). Multiplying by v −1 (mod ), we find that Q = v −1 uP ∈ E(Fq ), which is a contradiction. Therefore {P, Q} is a basis for E[]. Let φq be the Frobenius map. The action of φq on the basis {P, Q} of E[] gives us a matrix (φq )
, as in Section 3.1. Since P ∈ E(Fq ), we have φq (P ) = P . Let φq (Q) = bP + dQ. Then  (φq )
=

1b 0d

 .

From Theorem 4.10, we know that Trace((φq )
) ≡ a = q + 1 − #E(Fq ) (mod ). Since #E(Fq ) ≡ 0 (mod ) by assumption, we have 1 + d ≡ q + 1 (mod ), so d ≡ q (mod ). An easy induction shows that 

1b 0q



m =

m

−1 1 b qq−1 m 0 q

 .

Since q ≡ 1 (mod ), by assumption, we have m φm q = 1 on E[] ⇐⇒ (φq )
≡ I

(mod ) ⇐⇒ q m ≡ 1

(mod ).

Since E[] ⊆ E(Fqm ) if and only if φm q = 1 on E[], by Lemma 4.5, this proves the proposition. If we have E[n] ⊆ E(Fqm ), then we can use the MOV attack or we can use the Tate-Lichtenbaum pairing to reduce discrete log problems in E(Fqm ) to discrete log problems in F× q m . The Tate-Lichtenbaum pairing is generally faster (see [44]). In both cases, we pick arbitrary points R and compute their pairings with P and kP . With high probability (as in Section 5.3.1), we obtain k after using only a few values of R.

SECTION 5.4 ANOMALOUS CURVES

159

5.4 Anomalous Curves The reason the MOV attack works is that it is possible to use the Weil pairing. In order to avoid this, it was suggested that elliptic curves E over Fq with #E(Fq ) = q be used. Such curves are called anomalous. Unfortunately, the discrete log problem for the group E(Fq ) can be solved quickly. However, as we’ll see below, anomalous curves are potentially useful when considered over extensions of Fq , since they permit a speed-up in certain calculations in E(Fq ). The Weil pairing is not defined on E[p] (or, if we defined it, it would be trivial since E[p] is cyclic and also since there are no nontrivial pth roots of unity in characteristic p; however, see [10] for a way to use a Weil pairing in this situation). Therefore, it was hoped that this would be a good way to avoid the MOV attack. However, it turns out that there is a different attack for anomalous curves that works even faster for these curves than the MOV attack works for supersingular curves. In the following, we show how to compute discrete logs in the case q = p. Procedures for doing this have been developed in [95], [102], and [115]. Similar ideas work for subgroups of p-power order in E(Fq ) when q is a power of p (but in Proposition 5.6 we would need to lift E to a curve defined over a larger ring than Z). Warning: The property of being anomalous depends on the base field. If E is anomalous over Fq , it is not necessarily anomalous over any Fqn for n ≥ 2. See Exercises 5.5 and 5.6. This is in contrast to supersingularity, which is independent of the base field and is really a property of the curve over the algebraic closure (since supersingular means that there are no points of order p with coordinates in the algebraic closure of the base field). The first thing we need to do is lift the curve E and the points P, Q to an elliptic curve over Z. PROPOSITION 5.6 Let E be an elliptic curve over Fp and let P, Q ∈ E(Fp ). We assume E is in Weierstrass form y 2 = x3 + Ax + B. Then there exist integers ˜ B, ˜ x1 , x2 , y1 , y2 and an elliptic curve E ˜ given by A, ˜ +B ˜ y 2 = x3 + Ax ˜ = (x2 , y2 ) ∈ E(Q) ˜ and such that such that P˜ = (x1 , y1 ), Q ˜ A ≡ A,

˜ B ≡ B,

P ≡ P˜ ,

˜ (mod p). Q≡Q

160

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

PROOF Choose integers x1 and x2 such that x1 , x2 (mod p) give the xcoordinates of P, Q. First, assume that x1 ≡ x2 (mod p). Choose an integer y1 such that P˜ = (x1 , y1 ) reduces to P mod p. Now choose y2 such that y22 ≡ y12

(mod x2 − x1 ) and (x2 , y2 ) ≡ Q (mod p).

This is possible by the Chinese Remainder Theorem, since gcd(p, x2 − x1 ) = 1 by assumption. Consider the simultaneous equations ˜ 1+B ˜ y12 = x31 + Ax 2 3 ˜ ˜ y2 = x2 + Ax2 + B. ˜ B: ˜ We can solve these for A, y 2 − y12 x3 − x31 A˜ = 2 − 2 , x2 − x1 x2 − x1

˜ = y12 − x31 − Ax ˜ 1. B

Since y22 − y12 is divisible by x2 − x1 , and since x1 , x2 , y1 , y2 are integers, it ˜ and therefore B, ˜ are integers. The points P˜ and Q ˜ lie on the follows that A, ˜ curve E we obtain. If x1 ≡ x2 (mod p), then P = ±Q. In this case, take x1 = x2 . Then choose y1 that reduces mod p to the y-coordinate of P . Choose an integer ˜ = y 2 − x3 − Ax ˜ 1 . Then P˜ = (x1 , y1 ) lies on E. ˜ Let A˜ ≡ A (mod p) and let B 1 1 ˜ ˜ ˜ Q = ±P . Then Q reduces to ±P = Q mod p. ˜ 2 ≡ 4A3 +27B 2 ≡ 0 (mod p), since E is an elliptic curve. Finally, 4A˜3 +27B 3 ˜ 2 = 0. Therefore E ˜ is an elliptic curve. It follows that 4A˜ + 27B REMARK 5.7 If we start with Q = kP for some integer k, it is very ˜ In fact, usually P˜ and Q ˜ are unlikely that this relation still holds on E. ˜ ˜ independent points. However, if they are dependent, so aP = bQ for some nonzero integers a, b, then aP = bQ, which allows us to find k (unless bP = ∞). The amazing thing about the case of anomalous curves is that even when ˜ are independent, we can extract enough information to find k. P˜ and Q Let a/b = 0 be a rational number, where a, b are relatively prime integers. Write a/b = pr a1 /b1 with p
a1 b1 . Define the p-adic valuation to be vp (a/b) = r. For example, v2 (7/40) = −3,

v5 (50/3) = 2,

v7 (1/2) = 0.

Define vp (0) = +∞ (so vp (0) > n for every integer n).

SECTION 5.4 ANOMALOUS CURVES

161

˜ + B. ˜ Let r ≥ 1 be ˜ be an elliptic curve over Z given by y 2 = x3 + Ax Let E an integer. Define ˜r = {(x, y) ∈ E(Q) ˜ E | vp (x) ≤ −2r, vp (y) ≤ −3r} ∪ {∞}. These are the points such that x has at least p2r in its denominator and y has at least p3r in its denominator. These should be thought of as the points that are close to ∞ mod powers of p (that is, p-adically close to ∞). THEOREM 5.8 ˜ + B, ˜ with A, ˜ B ˜ ∈ Z. Let p be prime and let ˜ be given by y 2 = x3 + Ax Let E r be a positive integer. Then ˜r is a subgroup of E(Q). ˜ 1. E ˜ 2. If (x, y) ∈ E(Q), then vp (x) < 0 if and only if vp (y) < 0. In this case, there exists an integer r ≥ 1 such that vp (x) = −2r, vp (y) = −3r. 3. The map ˜r /E ˜5r → Zp4r λr : E

(x, y) → p−r x/y ∞ → 0

(mod p4r )

is an injective homomorphism (where Zp4r is a group under addition). ˜r but (x, y) ∈ E ˜r+1 , then λr (x, y) ≡ 0 (mod p). 4. If (x, y) ∈ E This will be proved in Section 8.1. The map λr should be regarded as a ˜r+1 since it changes the law of composition in ˜r /E logarithm for the group E 4r the group to addition in Zp , just as the classical logarithm changes the composition law in the multiplicative group of positive real numbers to addition in R. We need one more fact, which is contained in Corollary 2.33: the reduction mod p map ˜ ˜ −→ E redp : E(Q)

(mod p)

(x, y) →  (x, y) ˜ E1 → {∞}

(mod p)

˜1 when (x, y) ∈ E

˜1 . is a homomorphism. The kernel of redp is E We are now ready for a theoretical version of the algorithm. We start with an elliptic curve E over Fp in Weierstrass form, and we have points P and Q on E. We want to find an integer k such that Q = kP (assume k = 0). The crucial assumption is that E is anomalous, so #E(Fp ) = p. Perform the following steps.

162

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

˜ P˜ , Q, ˜ as in Proposition 5.6. 1. Lift E, P, Q to Z to obtain E, ˜ 1 = pQ. ˜ Note that P˜1 , Q ˜1 ∈ E ˜1 since redp (pP˜ ) = 2. Let P˜1 = pP˜ , Q p · redp (P˜ ) = ∞ (this is where we use the fact that E is anomalous). ˜2 , choose new E, ˜ P˜ , Q ˜ and try again. Otherwise, let 1 = 3. If P˜1 ∈ E ˜ 1 ). We have k ≡ 2 /1 (mod p). λ1 (P˜1 ) and 2 = λ1 (Q ˜ = k P˜ − Q. ˜ We have Why does this work? Let K ˜ = redp (K). ˜ ∞ = kP − Q = redp (k P˜ − Q) ˜ ∈E ˜1 , so λ1 (K) ˜ is defined and Therefore K ˜ = pλ1 (K) ˜ ≡ 0 (mod p). λ1 (pK) Therefore, ˜ 1 ) = λ1 (kpP˜ − pQ) ˜ = λ1 (pK) ˜ ≡0 k1 − 2 = λ1 (k P˜1 − Q

(mod p).

This means that k ≡ 2 /1 (mod p), as claimed. Note that the assumption that E is anomalous is crucial. If E(Fp ) has ˜ into E ˜1 , where λ1 is defined. order N , we need to multiply by N to put P˜ , Q ˜ ˜ ˜ The difference K = k P − Q gets multiplied by N , also. When N is a multiple ˜ ≡ 0 (mod p), so the contribution from K ˜ disappears of p, we have λ1 (N K) from our calculations. If we try to implement the above algorithm, we soon encounter difficulties. If p is a large prime, the point P˜1 has coordinates whose numerators and denominators are too large to work with. For example, the numerator and denominator of the x-coordinate usually have approximately p2 digits (see Section 8.3). However, we are only looking for x/y (mod p). As we shall see, it suffices to work with numbers mod p2 . (It is also possible to use the “dual numbers” Fp [], where 2 = 0; see [10].) ˜ (mod p2 ). When we compute (x, y) = P˜1 = pP˜ , Let’s try calculating on E ˜2 , we have p2 in the denominator of x, so we run into problems. Since P˜1 ∈ E 2 P˜1 is already at ∞ mod p . Therefore, we cannot obtain information directly from calculating λ1 (P˜1 ). Instead, we calculate (p − 1)P˜ (mod p2 ), then add it to P˜ , keeping track of p in denominators. The procedure is the following. ˜ = (x2 , y2 ), as in Proposi˜ P˜ = (x1 , y1 ), Q 1. Lift E, P, Q to Z to obtain E, tion 5.6. 2. Calculate

P˜2 = (p − 1)P˜ ≡ (x , y  ) (mod p2 ). The rational numbers in the calculation of P˜2 should not have p in their denominators, so the denominators can be inverted mod p2 to obtain integers x , y  .

SECTION 5.4 ANOMALOUS CURVES

163

˜ ≡ (x , y  ) (mod p2 ). ˜ 2 = (p − 1)Q 3. Calculate Q 4. Compute m1 = p

y  − y1 , x − x1

m2 = p

y  − y2 . x − x2

˜ Otherwise, Q = kP , 5. If vp (m2 ) < 0 or vp (m1 ) < 0, then try another E. where k ≡ m1 /m2 (mod p). Example 5.5 Let E be the elliptic curve given by y 2 = x3 +108x+4 over F853 . Let P = (0, 2) and Q = (563, 755). It can be shown that 853P = ∞. Since 853 is prime, the order of P is 853, so 853|#E(F853 ). Hasse’s theorem implies that #E(F853 ) = 853, as in Section 4.3.3. Therefore, E is anomalous. Proposition 5.6 yields ˜ : y 2 = x3 + 7522715x + 4, E

P˜ = (0, 2),

˜ = (563, 66436). Q

We have P˜2 = 852P˜ ≡ (159511, 58855) (mod 8532 ) ˜ 2 = 852Q ˜ ≡ (256463, 645819) (mod 8532 ). Q Note that even with a prime as small as 853, writing P˜2 without reducing mod 8533 would require more than 100 thousand digits. We now calculate m1 = 853

58853 58853 58855 − 2 645819 − 66436 = and m2 = 853 = . 159511 − 0 187 256463 − 563 187

Therefore, k ≡ m1 /m2 ≡ 234 (mod 853). Let’s prove this algorithm works (the proof consists mostly of keeping track of powers of p, and can be skipped without much loss). The following notation is useful. We write O(pk ) to represent a rational number of the form pk z with vp (z) ≥ 0. Therefore, if a, b ∈ Z and k > 0, then a = b + O(pk ) simply means that a ≡ b (mod pk ). But we are allowing rational numbers and we are allowing negative k. For example, 1 23 = + O(7−1 ) 49 98 since

1 13 23 = + . 98 49 7 2

The following rule is useful: a a = + O(pk ) when vp (b) = 0, vp (a) ≥ 0, and k > 0. b + O(pk ) b

164

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

To prove it, simply rewrite the difference b+pa k z − ab . (Technical point: This actually should say that a/(b + O(pk )) can be changed to (a/b) + O(pk ). The problem with “=” is that the right side sometimes cannot be changed back to the left side; for example, let the right side be 0 with a = −pk .) Write P˜2 = (p − 1)P˜ = (u, v), with u, v ∈ Q (this is not yet mod p2 ). Then u = x + O(p2 ),

v = y  + O(p2 ).

Let (x, y) = P˜1 = pP˜ = P˜ + P˜2 = (x1 , y1 ) + (u, v). Then  x=

v − y1 u − x1



2 − u − x1 =

y  − y1 + O(p2 ) x − x1 + O(p2 )

2 − u − x1 .

˜1 and usually we have P˜1 ∈ E ˜2 . This means that x − x1 We have P˜1 ∈ E 2  is a multiple of p, but not of p (note: y ≡ y1 (mod p) since otherwise (p − 1)P = P , which is not the case). We’ll assume this is the case. Then  y  − y1 + O(p2 ) 1 y  − y1 + O(p2 ) = x
−x1 x − x1 + O(p2 ) p + O(p) p  1 y  − y1 = + O(p) x
−x1 p p =

1 m1 + O(p0 ). p

Note that vp (m1 ) = 0. Since vp (u) ≥ 0 and vp (x1 ) ≥ 0, we obtain  x=

2 1 m2 0 m1 + O(p ) − u − x1 = 21 + O(p−1 ). p p

Similarly, the y-coordinate of P˜1 satisfies y=−

m31 + O(p−2 ). p3

Therefore, 1 x 1 1 = λ1 (P˜1 ) = λ1 (x, y) = p−1 = − + O(p) ≡ − y m1 m1 Similarly, ˜1) ≡ − 1 2 = λ1 (Q m2

(mod p).

(mod p).

SECTION 5.5 OTHER ATTACKS

165

˜1 ∈ E ˜2 by Theorem 5.8, hence either P˜1 ∈ E ˜2 or k = 0. If vp (m2 ) < 0, then Q We are assuming these cases do not happen, and therefore the congruence just obtained makes sense. Therefore, k≡

m1 2 ≡ 1 m2

(mod p),

as claimed. This shows that the algorithm works. Anomalous curves are attractive from a computational viewpoint since calculating an integer multiple of a point in E(Fq ) can be done efficiently. In designing a cryptosystem, one therefore starts with an anomalous curve E over a small finite field Fq and works in E(Fqk ) for a large k. Usually it is best to work with the subgroup generated by a point whose order  is a large prime number. In particular,  will be much larger than p, hence not equal to p. Therefore, the above attack on anomalous curves does not apply to the present situation. Let E be an elliptic curve over Fq such that #E(Fq ) = q. Then the trace of the Frobenius φq is a = 1, so φ2q − φq + q = 0. This means that q = φq − φ2q . Therefore 2

2

q(x, y) = (xq , y q ) + (xq , −y q ) for all (x, y) ∈ E(Fq ). The calculation of xq , for example, can be done quickly in a finite field. Therefore, the expense of multiplying by q is little more than the expense of one addition of points. The standard method of computing q(x, y) (see Section 2.2) involves more point additions (except when q = 2; but see Exercise 5.8). To calculate k(x, y) for some integer k, expand k = k0 + k1 q + k2 q 2 + · · · in base q. Compute ki P for each i, then compute q i ki P . Finally, add these together to obtain kP .

5.5 Other Attacks For arbitrary elliptic curves, Baby Step/Giant Step and the Pollard ρ and λ methods seem to be the best algorithms. There are a few cases where index calculus techniques can be used in the jacobians of higher genus curves to solve discrete logarithm problems on certain elliptic curves, but it is not clear how generally their methods apply. See [45], [46], [79]. See also [113] for a discussion of some other index calculus ideas and elliptic curves. An interesting approach due to Silverman [112] is called the xedni calculus. Suppose we want to find k such that Q = kP on a curve E over Fp .

166

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

˜ Proposition 5.6 shows that we can lift E, P , and Q to an elliptic curve E ˜ = k  P˜ , then Q = k  P . ˜ If we can find k  with Q over Z with points P˜ and Q. ˜ are independent, so no k  exHowever, it is usually the case that P˜ and Q ists. Silverman’s idea was to start with several (up to 9) points of the form ai P + bi Q and lift them to a curve over Q. This is possible: Choose a lift to Z for each of the points. Write down an arbitrary cubic curve containing lifts of the points. The fact that a point lies on the curve gives a linear equation in the coefficients of the cubic equation. Use linear algebra to solve for these coefficients. This curve can then be converted to Weierstrass form (see Section 2.5.2). Since most curves over Q tend to have at most 2 independent points, the hope was that there would be relations among the lifted points. These could then be reduced mod p to obtain relations between P and Q, thus solving the discrete log problem. Unfortunately, the curves obtained tend to have many independent points and no relations. Certain modifications that should induce the curve to have fewer independent points do not seem to work. For an analysis of the algorithm and why it probably is not successful, see [55].

Exercises 5.1 Suppose G is a subgroup of order N of the points on an elliptic curve over a field. Show that the following algorithm finds k such that kP = Q: √ (a) Fix an integer m ≥ N . (b) Compute and store a list of the x-coordinates of iP for 0 ≤ i ≤ m/2. (c) Compute the points Q − jmP for j = 0, 1, 2, · · · , m − 1 until the x-coordinate of one of them matches an element from the stored list. (d) Decide whether Q − jmP = iP or = −iP . (e) If ±iP = Q − jmP , we have Q = kP with k ≡ ±i + jm (mod N ). This requires a little less computation and half as much storage as the baby step, giant step algorithm in the text. It is essentially the same as the method used in Section 4.3.4 to find the order of E(Fq ). 5.2 Let G be the additive group Zn . Explain why the discrete logarithm problem for G means solving ka ≡ b (mod n) for k and describe how this can be solved quickly. This shows that the difficulty of a discrete logarithm problem depends on the group. 5.3 Let E be the elliptic curve y 2 = x3 + 3 over F7 . (a) Show that 4(1, 2) = (4, 5) on E.

EXERCISES

167

(b) Show that the method of the proof of Proposition 5.6, with P = (1, 2) ˜ = (4, 5) on and Q = (4, 5), produces the points P˜ = (1, 2) and Q ˜ : y 2 = x3 − 14x + 17 (which is defined over Q). E ˜ mod 73. (c) Show that 2(1, 2) = (1, −2) and 3(1, 2) = ∞ on E ˜ (d) Show that there is no integer k such that k(1, 2) = (4, 5) on E. This shows that lifting a discrete log problem mod p to one on an elliptic curve over Q does not necessarily yield a discrete log problem that has a solution. 5.4 Let G be a group and let p be a prime. Suppose we have a fast algorithm for solving the discrete log problem for elements of order p (that is, given g ∈ G of order p and h = g k , there is a fast way to find k). Show that there is a fast algorithm for solving the discrete log problem for elements of order a power of p. (This is essentially what the PohligHellman method does. Since Pohlig-Hellman works with small primes, the fast algorithm for elements of order p in this case is simply brute force search.) 5.5 Let p ≥ 7 be prime. Show that if E is an elliptic curve over Fp such that E(Fp ) contains a point of order p, then #E(Fp ) = p. 5.6 Show that if E is anomalous over Fq then it is not anomalous over Fq2 . 5.7 Show that if E is anomalous over F2 then it is anomalous over F16 . 5.8 Suppose E is anomalous over F2 , so φ22 − φ2 + 2 = 0. Show that (a) 4 = −φ32 − φ22 (b) 8 = −φ32 + φ52 (c) 16 = φ42 − φ82 These equations were discovered by Koblitz [63], who pointed out that multiplication by each of 2, 4, 8, 16 in E(Q) can be accomplished by applying suitable powers of φ2 (this is finite field arithmetic and is fast) and then performing only one point addition. This is faster than successive doubling for 4, 8, and 16. 5.9 Let E be defined over Fq . (a) Show that a map from E(Fq ) to itself is injective if and only if it is surjective. (b) Show that if E(Fq ) has no point of order n, then E(Fq )/nE(Fq ) = 0 (in which case, the Tate-Lichtenbaum pairing is trivial). 5.10 (a) Let ψ be a homomorphism from a finite group G to itself. Show that the index of ψ(G) in G equals the order of the kernel of ψ.

168

CHAPTER 5 THE DISCRETE LOGARITHM PROBLEM

(b) Let E be defined over Fq and let n ≥ 1. Show that E(Fq )[n] and E(Fq )/nE(Fq ) have the same order. (When n|q − 1, this can be proved from the nondegeneracy of the Tate-Lichtenbaum pairing; see Lemma 11.28. The point of the present exercise is to prove it without using this fact.) 5.11 This exercise gives a way to attack discrete logarithms using the TateLichtenbaum pairing, even when there is a point of order 2 in E(Fq ) (cf. Lemma 5.4). Assume  is a prime such that |#E(Fq ) and |q − 1, and suppose that the -power torsion in E(Fq ) is cyclic of order i , with i ≥ 1. Let Pi have order i and let P have order . (a) Show that τ
(P, Pi ) is a primitive th root of unity. (b) Suppose Q = kP . Show how to use (a) to reduce the problem of finding k to a discrete logarithm problem in F× q . (c) Let N = #E(Fq ). Let R be a random point in E(Fq ). Explain why (N/i )R is very likely to be a point of order i . This shows that finding a suitable point Pi is not difficult. 5.12 Let E be defined by y 2 + y = x3 + x over F2 . Exercise 4.7 showed that #E(F2 ) = 5, so E is supersingular and φ22 + 2φ2 + 2 = 0. (a) Show that φ42 = −4. (b) Show that E[5] ⊆ E(F16 ). (c) Show that #E(F4 ) = 5 and #E(F16 ) = 25. This example shows that Proposition 5.3 can fail when a = 0.

Chapter 6 Elliptic Curve Cryptography In this chapter, we’ll discuss several cryptosystems based on elliptic curves, especially on the discrete logarithm problem for elliptic curves. We’ll also treat various related ideas, such as digital signatures. One might wonder why elliptic curves are used in cryptographic situations. The reason is that elliptic curves provide security equivalent to classical systems while using fewer bits. For example, it is estimated in [12] that a key size of 4096 bits for RSA gives the same level of security as 313 bits in an elliptic curve system. This means that implementations of elliptic curve cryptosystems require smaller chip size, less power consumption, etc. Daswani and Boneh [14] performed experiments using 3Com’s PalmPilot, which is a small hand-held device that is larger than a smart card but smaller than a laptop computer. They found that generating a 512-bit RSA key took 3.4 minutes, while generating a 163-bit ECC-DSA key to 0.597 seconds. Though certain procedures, such as signature verifications, were slightly faster for RSA, the elliptic curve methods such as ECC-DSA clearly offer great increases in speed in many situations.

6.1 The Basic Setup Alice wants to send a message, often called the plaintext, to Bob. In order to keep the eavesdropper Eve from reading the message, she encrypts it to obtain the ciphertext. When Bob receives the ciphertext, he decrypts it and reads the message. In order to encrypt the message, Alice uses an encryption key. Bob uses a decryption key to decrypt the ciphertext. Clearly, the decryption key must be kept secret from Eve. There are two basic types of encryption. In symmetric encryption, the encryption key and decryption key are the same, or one can be easily deduced from the other. Popular symmetric encryption methods include the Data Encryption Standard (DES) and the Advanced Encryption Standard (AES, often referred to by its original name Rijndael). In this case, Alice and Bob

169

170

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

need to have some way of establishing a key. For example, Bob could send a messenger to Alice several days in advance. Then, when it is time to send the message, they both will have the key. Clearly this is impractical in many situations. The other type of encryption is public key encryption, or asymmetric encryption. In this case, Alice and Bob do not need to have prior contact. Bob publishes a public encryption key, which Alice uses. He also has a private decryption key that allows him to decrypt ciphertexts. Since everyone knows the encryption key, it should be infeasible to deduce the decryption key from the encryption key. The most famous public key system is known as RSA and is based on the difficulty of factoring integers into primes. Another wellknown system is due to ElGamal and is based on the difficulty of the discrete logarithm problem. Generally, public key systems are slower than good symmetric systems. Therefore, it is common to use a public key system to establish a key that is then used in a symmetric system. The improvement in speed is important when massive amounts of data are being transmitted.

6.2 Diffie-Hellman Key Exchange Alice and Bob want to agree on a common key that they can use for exchanging data via a symmetric encryption scheme such as DES or AES. For example, Alice and Bob could be banks that want to transmit financial data. It is impractical and time-consuming to use a courier to deliver the key. Moreover, we assume that Alice and Bob have had no prior contact and therefore the only communication channels between them are public. One way to establish a secret key is the following method, due to Diffie and Hellman (actually, they used multiplicative groups of finite fields). 1. Alice and Bob agree on an elliptic curve E over a finite field Fq such that the discrete logarithm problem is hard in E(Fq ). They also agree on a point P ∈ E(Fq ) such that the subgroup generated by P has large order (usually, the curve and point are chosen so that the order is a large prime). 2. Alice chooses a secret integer a, computes Pa = aP , and sends Pa to Bob. 3. Bob chooses a secret integer b, computes Pb = bP , and sends Pb to Alice. 4. Alice computes aPb = abP . 5. Bob computes bPa = baP .

SECTION 6.2 DIFFIE-HELLMAN KEY EXCHANGE

171

6. Alice and Bob use some publicly agreed on method to extract a key from abP . For example, they could use the last 256 bits of the x-coordinate of abP as the key. Or they could evaluate a hash function at the xcoordinate. The only information that the eavesdropper Eve sees is the curve E, the finite field Fq , and the points P , aP , and bP . She therefore needs to solve the following: DIFFIE-HELLMAN PROBLEM Given P , aP , and bP in E(Fq ), compute abP . If Eve can solve discrete logs in E(Fq ), then she can use P and aP to find a. Then she can compute a(bP ) to get abP . However, it is not known whether there is some way to compute abP without first solving a discrete log problem. A related question is the following: DECISION DIFFIE-HELLMAN PROBLEM Given P , aP , and bP in E(Fq ), and given a point Q ∈ E(Fq ) determine whether or not Q = abP . In other words, if Eve receives an anonymous tip telling her abP , can she verify that the information is correct? The Diffie-Hellman problem and the Decision Diffie-Hellman problem can be asked for arbitrary groups. Originally, they appeared in the context of multiplicative groups F× q of finite fields. For elliptic curves, the Weil pairing can be used to solve the Decision DiffieHellman problem in some cases. We give one such example. Let E be the curve y 2 = x3 + 1 over Fq , where q ≡ 2 (mod 3). By Proposition 4.33, E is supersingular. Let ω ∈ Fq2 be a primitive third root of unity. Note that ω ∈ Fq since the order of F× q is q − 1, which is not a multiple of 3. Define a map β : E(Fq ) → E(Fq ),

(x, y) → (ωx, y),

β(∞) = ∞.

It is straightforward to show, using the formulas for the addition law, that β is an isomorphism (Exercise 6.1). Suppose P ∈ E(Fq ) has order n. Then β(P ) also has order n. Define the modified Weil pairing e˜n (P1 , P2 ) = en (P1 , β(P2 )), where en is the usual Weil pairing and P1 , P2 ∈ E[n].

172

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

LEMMA 6.1 Assume 3
n. If P ∈ E(Fq ) has order exactly n, then e˜n (P, P ) is a primitive nth root of unity. PROOF

Suppose uP = vβ(P ) for some integers u, v. Then β(vP ) = vβ(P ) = uP ∈ E(Fq ).

If vP = ∞, then uP = ∞, so u ≡ 0 (mod n). If vP = ∞, write vP = (x, y) with x, y ∈ Fq . Then (ωx, y) = β(vP ) ∈ E(Fq ). Since ω ∈ Fq , we must have x = 0. Therefore vP = (0, ±1), which has order 3. This is impossible since we have assumed that 3
n. It follows that the only relation of the form uP = vβ(P ) has u, v ≡ 0 (mod n), so P and β(P ) form a basis of E[n]. By Corollary 3.10, e˜n (P, P ) = en (P, β(P )) is a primitive nth root of unity. Suppose now that we know P, aP, bP, Q and we want to decide whether or not Q = abP . First, use the usual Weil pairing to decide whether or not Q is a multiple of P . By Lemma 5.1, Q is a multiple of P if and only if en (P, Q) = 1. Assume this is the case, so Q = tP for some t. We have e˜n (aP, bP ) = e˜n (P, P )ab = e˜n (P, abP )

and e˜n (Q, P ) = e˜n (P, P )t .

Assume 3
n. Then e˜n (P, P ) is a primitive nth root of unity, so Q = abP ⇐⇒ t ≡ ab (mod n) ⇐⇒ e˜n (aP, bP ) = e˜n (Q, P ). This solves the Decision Diffie-Hellman problem in this case. Note that we did not need to compute any discrete logs, even in finite fields. All that was needed was to compute the Weil pairing. The above method was pointed out by Joux and Nguyen. For more on the Decision Diffie-Hellman problem, see [13]. Joux [56] (see also [124]) has given another application of the modified Weil pairing to what is known as tripartite Diffie-Hellman key exchange. Suppose Alice, Bob, and Chris want to establish a common key. The standard Diffie-Hellman procedure requires two rounds of interaction. The modified Weil pairing allows this to be cut to one round. As above, let E be the curve y 2 = x3 + 1 over Fq , where q ≡ 2 (mod 3). Let P be a point of order n. Usually, n should be chosen to be a large prime. Alice, Bob, and Chris do the following. 1. Alice, Bob, and Chris choose secret integers a, b, c mod n, respectively. 2. Alice broadcasts aP , Bob broadcasts bP , and Chris broadcasts cP .

SECTION 6.3 MASSEY-OMURA ENCRYPTION

173

3. Alice computes e˜n (bP, cP )a , Bob computes e˜n (aP, cP )b , and Chris computes e˜n (aP, bP )c . 4. Since each of the three users has computed the same number, they use this number to produce a key, using some publicly prearranged method. Recall that, since E is supersingular, the discrete log problem on E can be reduced to a discrete log problem for F× q 2 (see Section 5.3.1). Therefore, q should be chosen large enough that this discrete log problem is hard. For more on cryptographic applications of pairings, see [57].

6.3 Massey-Omura Encryption Alice wants to send a message to Bob over public channels. They have not yet established a private key. One way to do this is the following. Alice puts her message in a box and puts her lock on it. She sends the box to Bob. Bob puts his lock on it and sends it back to Alice. Alice then takes her lock off and sends the box back to Bob. Bob then removes his lock, opens the box, and reads the message. This procedure can be implemented mathematically as follows. 1. Alice and Bob agree on an elliptic curve E over a finite field Fq such that the discrete log problem is hard in E(Fq ). Let N = #E(Fq ). 2. Alice represents her message as a point M ∈ E(Fq ). (We’ll discuss how to do this below.) 3. Alice chooses a secret integer mA with gcd(mA , N ) = 1, computes M1 = mA M , and sends M1 to Bob. 4. Bob chooses a secret integer mB with gcd(mB , N ) = 1, computes M2 = mB M1 , and sends M2 to Alice. −1 5. Alice computes m−1 A ∈ ZN . She computes M3 = mA M2 and sends M3 to Bob. −1 6. Bob computes m−1 B ∈ ZN . He computes M4 = mB M3 . Then M4 = M is the message.

Let’s show that M4 is the original message M . Formally, we have −1 M4 = m−1 B mA mB mA M = M,

but we need to justify the fact that m−1 A , which is an integer representing the inverse of mA mod N , and mA cancel each other. We have m−1 A mA ≡ 1

174

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

(mod N ), so m−1 A mA = 1 + kN for some k. The group E(Fq ) has order N , so Lagrange’s theorem implies that N R = ∞ for any R ∈ E(Fq ). Therefore, m−1 A mA R = (1 + kN )R = R + k∞ = R. Applying this to R = mB M , we find that M3 = m−1 A mB mA M = mB M. Similarly, m−1 B and mB cancel, so −1 M4 = m−1 B M3 = mB mB M = M.

The eavesdropper Eve knows E(Fq ) and the points mA M , mB mA M , and −1 mB M . Let a = m−1 A , b = mB , P = mA mB M . Then we see that Eve knows P, bP, aP and wants to find abP . This is the Diffie-Hellman problem (see Section 6.2). The above procedure works in any finite group. It seems that the method is rarely used in practice. It remains to show how to represent a message as a point on an elliptic curve. We use a method proposed by Koblitz. Suppose E is an elliptic curve given by y 2 = x3 +Ax+B over Fp . The case of an arbitrary finite field Fq is similar. Let m be a message, expressed as a number 0 ≤ m < p/100. Let xj = 100m + j for 0 ≤ j < 100. For j = 0, 1, 2, . . . , 99, compute sj = x3j + Axj + B . If (p−1)/2

≡ 1 (mod p), then sj is a square mod p, in which case we do not sj need to try any more values of j. When p ≡ 3 (mod 4), a square root of (p+1)/4 sj is then given by yj ≡ sj (mod p) (see Exercise 6.7). When p ≡ 1 (mod 4), a square root of sj can also be computed, but the procedure is more complicated (see [25]). We obtain a point (xj , yj ) on E. To recover m from (xj , yj ), simply compute [xj /100] (= the greatest integer less than or equal to xj /100). Since sj is essentially a random element of F× p , which is cyclic of even order, the probability is approximately 1/2 that sj is a square. So the probability of not being able to find a point for m after trying 100 values is around 2−100 .

6.4 ElGamal Public Key Encryption Alice wants to send a message to Bob. First, Bob establishes his public key as follows. He chooses an elliptic curve E over a finite field Fq such that the discrete log problem is hard for E(Fq ). He also chooses a point P on E (usually, it is arranged that the order of P is a large prime). He chooses a secret integer s and computes B = sP . The elliptic curve E, the finite field

SECTION 6.5 ELGAMAL DIGITAL SIGNATURES

175

Fq , and the points P and B are Bob’s public key. They are made public. Bob’s private key is the integer s. To send a message to Bob, Alice does the following: 1. Downloads Bob’s public key. 2. Expresses her message as a point M ∈ E(Fq ). 3. Chooses a secret random integer k and computes M1 = kP . 4. Computes M2 = M + kB. 5. Sends M1 , M2 to Bob. Bob decrypts by calculating M = M2 − sM1 . This decryption works because M2 − sM1 = (M + kB) − s(kP ) = M + k(sP ) − skP = M. The eavesdropper Eve knows Bob’s public information and the points M1 and M2 . If she can calculate discrete logs, she can use P and B to find s, which she can then use to decrypt the message as M2 − sM1 . Also, she could use P and M1 to find k. Then she can calculate M = M2 − kB. If she cannot calculate discrete logs, there does not appear to be a way to find M . It is important for Alice to use a different random k each time she sends a message to Bob. Suppose Alice uses the same k for both M and M
. Eve recognizes this because then M1 = M1
. She then computes M2
− M2 = M
− M . Suppose M is a sales announcement that is made public a day later. Then Eve finds out M , so she calculates M
= M − M2 + M2
. Therefore, knowledge of one plaintext M allows Eve to deduce another plaintext M
in this case. The ElGamal Public Key system, in contrast to the ElGamal signature scheme of the next section, does not appear to be widely used.

6.5 ElGamal Digital Signatures Alice wants to sign a document. The classical way is to write her signature on a piece of paper containing the document. Suppose, however, that the document is electronic, for example, a computer file. The naive solution would be to digitize Alice’s signature and append it to the file containing the document. In this case, evil Eve can copy the signature and append it to another document. Therefore, steps must be taken to tie the signature to

176

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

the document in such a way that it cannot be used again. However, it must be possible for someone to verify that the signature is valid, and it should be possible to show that Alice must have been the person who signed the document. One solution to the problem relies on the difficulty of discrete logs. Classically, the algorithm was developed for the multiplicative group of a finite field. In fact, it applies to any finite group. We’ll present it for elliptic curves. Alice first must establish a public key. She chooses an elliptic curve E over a finite field Fq such that the discrete log problem is hard for E(Fq ). She also chooses a point A ∈ E(Fq ). Usually the choices are made so that the order N of A is a large prime. Alice also chooses a secret integer a and computes B = aA. Finally, she chooses a function f : E(Fq ) → Z. For example, if Fq = Fp , then she could use f (x, y) = x, where x is regarded as an integer, 0 ≤ x < p. The function f needs no special properties, except that its image should be large and only a small number of inputs should produce any given output (for example, for f (x, y) = x, at most two points (x, y) yield a given output x). Alice’s public information is E, Fq , f , A, and B. She keeps a private. The integer N does not need to be made public. Its secrecy does not affect our analysis of the security of the system. To sign a document, Alice does the following: 1. Represents the document as an integer m (if m > N , choose a larger curve, or use a hash function (see below)). 2. Chooses a random integer k with gcd(k, N ) = 1 and computes R = kA. 3. Computes s ≡ k −1 (m − af (R)) (mod N ). The signed message is (m, R, s). Note that m, s are integers, while R is a point on E. Also, note that Alice is not trying to keep the document m secret. If she wants to do that, then she needs to use some form of encryption. Bob verifies the signature as follows: 1. Downloads Alice’s public information. 2. Computes V1 = f (R)B + sR and V2 = mA. 3. If V1 = V2 , he declares the signature valid. If the signature is valid, then V1 = V2 since V1 = f (R)B + sR = f (R)aA + skA = f (R)aA + (m − af (R))A = mA = V2 . We have used the fact that sk ≡ m − af (R), hence sk = m − af (R) + zN for some integer z. Therefore, skA = (m − af (R))A + zN A = (m − af (R))A + ∞ = (m − af (R))A.

SECTION 6.5 ELGAMAL DIGITAL SIGNATURES

177

This is why the congruence defining s was taken mod N . If Eve can calculate discrete logs, then she can use A and B to find a. In this case, she can put Alice’s signature on any message. Alternatively, Eve can use A and R to find k. Since she knows s, f (R), m, she can then use ks ≡ m − af (R) (mod N ) to find a. If d = gcd(f (R), N ) = 1, then af (R) ≡ m − ks (mod N ) has d solutions for a. As long as d is small, Eve can try each possibility until she obtains B = aA. Then she can use a, as before, to forge Alice’s signature on arbitrary messages. As we just saw, Alice must keep a and k secret. Also, she must use a different random k for each signature. Suppose she signs m and m
using the same k to obtain signed messages (m, R, s) and (m
, R, s
). Eve immediately recognizes that k has been used twice since R is the same for both signatures. The equations for s, s
yield the following: ks ≡ m − af (R)


(mod N )




ks ≡ m − af (R) (mod N ). Subtracting yields k(s−s
) ≡ m−m
(mod N ). Let d = gcd(s−s
, N ). There are d possible values for k. Eve tries each one until R = kA is satisfied. Once she knows k, she can find a, as above. It is perhaps not necessary for Eve to solve discrete log problems in order to forge Alice’s signature on another message m. All Eve needs to do is produce R, s such that the verification equation V1 = V2 is satisfied. This means that she needs to find R = (x, y) and s such that f (R)B + sR = mA. If she chooses some point R (there is no need to choose an integer k), she needs to solve the discrete log problem sR = mA − f (R)B for the integer s. If, instead, she chooses s, then she must solve an equation for R = (x, y). This equation appears to be at least as complex as a discrete log problem, though it has not been analyzed as thoroughly. Moreover, no one has been able to rule out the possibility of using some procedure that finds R and s simultaneously. There are ways of using a valid signed message to produce another valid signed message (see Exercise 6.2). However, the messages produced are unlikely to be meaningful messages. The general belief is that the security of the ElGamal system is very close to the security of discrete logs for the group E(Fq ). A disadvantage of the ElGamal system is that the signed message (m, R, s) is approximately three times as long as the original message (it is not necessary to store the full y-coordinate of R since there are only two choices for y for a given x). A more efficient method is to choose a public hash function H and sign H(m). A cryptographic hash function is a function that takes inputs of arbitrary length, sometimes a message of billions of bits, and outputs values of fixed length, for example, 160 bits. A hash function H should have the following properties:

178

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

1. Given a message m, the value H(m) can be calculated very quickly. 2. Given y, it is computationally infeasible to find m with H(m) = y. (This says that H is preimage resistant.) 3. It is computationally infeasible to find distinct messages m1 and m2 with H(m1 ) = H(m2 ). (This says that H is strongly collision-free.) The reason for (2) and (3) is to prevent Eve from producing messages with a desired hash value, or two messages with the same hash value. This helps prevent forgery. There are several popular hash functions available, for example, MD5 (due to Rivest; it produces a 128-bit output) and the Secure Hash Algorithm (from NIST; it produces a 160-bit output). We won’t discuss these here. For details, see [81]. Recent work of Wang, Yin, and Yu [127] has found weaknesses in them, so the subject is somewhat in a state of flux. If Alice uses a hash function, the signed message is then (m, RH , sH ), where (H(m), RH , sH ) is a valid signature. (m, RH , sH ) is valid, Bob does the following:

To verify that the signature

1. Downloads Alice’s public information. 2. Computes V1 = f (RH )B + sH RH and V2 = H(m)A. 3. If V1 = V2 , he declares the signature valid. The advantage is that a very long message m containing billions of bits has a signature that requires only a few thousand extra bits. As long as the discrete log problem is hard for E(Fq ), Eve will be unable to put Alice’s signature on another message. The use of a hash function also guards against certain other forgeries (see Exercise 6.2). A recent variant of the ElGamal signature scheme due to van Duin is very efficient in certain aspects. For example, it avoids the computation of k −1 , and its verification procedure requires only two computations of an integer times a point. As before, Alice has a document m that she wants to sign. To set up the system, she chooses an elliptic curve E over a finite field Fq and a point A ∈ E(Fq ) of large prime order N . She also chooses a cryptographic hash function H. She chooses a secret integer a and computes B = aA. The public information is (E, q, N, H, A, B). The secret information is a. To sign m, Alice does the following: 1. Chooses a random integer k mod N and computes R = kA. 2. Computes t = H(R, m)k + a (mod N ).

SECTION 6.6 THE DIGITAL SIGNATURE ALGORITHM

179

The signed document is (m, R, t). To verify the signature, Bob downloads Alice’s public information and checks whether tA = H(R, m)R + B is true. If it is, the signature is declared valid; otherwise, it is invalid.

6.6 The Digital Signature Algorithm The Digital Signature Standard [1],[86] is based on the Digital Signature Algorithm (DSA). The original version used multiplicative groups of finite fields. A more recent elliptic curve version (ECDSA) uses elliptic curves. The algorithm is a variant on the ElGamal signature scheme, with some modifications. We sketch the algorithm here. Alice wants to sign a document m, which is an integer (actually, she usually signs the hash of the document, as in Section 6.5). Alice chooses an elliptic curve over a finite field Fq such that #E(Fq ) = f r, where r is a large prime and f is a small integer, usually 1,2, or 4 (f should be small in order to keep the algorithm efficient). She chooses a base point G in E(Fq ) of order r. Finally, Alice chooses a secret integer a and computes Q = aG. Alice makes public the following information: Fq ,

E,

r,

G,

Q.

(There is no need to keep f secret; it can be deduced from q and r using Hasse’s theorem by the technique in Examples 4.6 and 4.7.) To sign the message m Alice does the following: 1. Chooses a random integer k with 1 ≤ k < r and computes R = kG = (x, y). 2. Computes s = k −1 (m + ax) (mod r). The signed document is (m, R, s). To verify the signature, Bob does the following. 1. Computes u1 = s−1 m (mod r) and u2 = s−1 x (mod r). 2. Computes V = u1 G + u2 Q. 3. Declares the signature valid if V = R.

180

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

If the message is signed correctly, the verification equation holds: V = u1 G + u2 Q = s−1 mG + s−1 xQ = s−1 (mG + xaG) = kG = R. The main difference between the ECDSA and the ElGamal system is the verification procedure. In the ElGamal system, the verification equation f (R)B + sR = mA requires three computations of an integer times a point. These are the most expensive parts of the algorithm. In the ECDSA, only two computations of an integer times a point are needed. If many verifications are going to be made, then the improved efficiency of the ECDSA is valuable. This is the same type of improvement as in the van Duin system mentioned at the end of the previous section.

6.7 ECIES The Elliptic Curve Integrated Encryption Scheme (ECIES) was invented by Bellare and Rogaway [2]. It is a public key encryption scheme. Alice wants to send a message m to Bob. First, Bob establishes his public key. He chooses an elliptic curve E over a finite field Fq such that the discrete log problem is hard for E(Fq ), and he chooses a point A on E, usually of large prime order N . He then chooses a secret integer s and computes B = sA. The public key is (q, E, N, A, B). The private key is s. The algorithm also needs two cryptographic hash functions, H1 and H2 , and a symmetric encryption function Ek (depending on a key k) that are publicly agreed upon. To encrypt and send her message, Alice does the following: 1. Downloads Bob’s public key. 2. Chooses a random integer k with 1 ≤ k ≤ N − 1. 3. Computes R = kA and Z = kB. 4. Writes the output of H1 (R, Z) as k1 k2 (that is, k1 followed by k2 ), where k1 and k2 have specified lengths. 5. Computes C = Ek1 (m) and t = H2 (C, k2 ). 6. Sends (R, C, t) to Bob. To decrypt, Bob does the following: 1. Computes Z = sR, using his knowledge of the secret key s. 2. Computes H1 (R, Z) and writes the output as k1 k2 .

SECTION 6.8 A PUBLIC KEY SCHEME BASED ON FACTORING

181

3. Computes H2 (C, k2 ). If it does not equal t, Bob stops and rejects the ciphertext. Otherwise, he continues. 4. Computes m = Dk1 (C), where Dk1 is the decryption function for Ek1 . An important feature is the authentication procedure in step (3) of the decryption. In many cryptosystems, an attacker can choose various ciphertexts and force Bob to decrypt them. These decryptions are used to attack the system. In the present system, the attacker can generate ciphertexts by choosing C and k2
and then letting t
= H2 (C, k2
). But the attacker does not know Z, so he cannot use the same value k2 that Bob obtains from H1 (R, Z). Therefore, it is very unlikely that t
= H2 (C, k2
) will equal t = H2 (C, k2 ). With very high probability, Bob simply rejects the ciphertext and does not return a decryption. In our description of the procedure, we used hash functions for the authentication. There are other message authentication methods that could be used. An advantage of ECIES over the Massey-Omura and ElGamal public key methods is that the message is not represented as a point on the curve. Moreover, since a keyed symmetric method is used to send the message, we do not need to do a new elliptic curve calculation for each block of the message.

6.8 A Public Key Scheme Based on Factoring Most cryptosystems using elliptic curves are based on the discrete log problem, in contrast to the situation for classical systems, which are sometimes based on discrete logs and sometimes based on the difficulty of factorization. The most famous public key cryptosystem is called RSA (for Rivest-ShamirAdleman) and proceeds as follows. Alice wants to send a message to Bob. Bob secretly chooses two large primes p, q and multiplies them to obtain n = pq. Bob also chooses integers e and d with ed ≡ 1 (mod (p − 1)(q − 1)). He makes n and e public and keeps d secret. Alice’s message is a number m (mod n). She computes c ≡ me (mod n) and sends c to Bob. Bob computes m ≡ cd (mod n) to obtain the message. If Eve can find p and q, then she can solve ed ≡ 1 (mod (p − 1)(q − 1)) to obtain d. It can be shown (by methods similar to those used in the elliptic curve scheme below; see [121]) that if Eve can find the decryption exponent d, then she probably can factor n. Therefore, the difficulty of factoring n is the key to the security of the RSA system. A natural question is whether there is an elliptic curve analogue of RSA. In the following, we present one such system, due to Koyama-Maurer-OkamotoVanstone. It does not seem to be used much in practice. Alice want to send a message to Bob. They do the following.

182

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

1. Bob chooses two distinct large primes p, q with p ≡ q ≡ 2 (mod 3) and computes n = pq. 2. Bob chooses integers e, d with ed ≡ 1 (mod lcm(p + 1, q + 1)). (He could use (p + 1)(q + 1) in place of lcm(p + 1, q + 1).) 3. Bob makes n and e public (they form his public key) and he keeps d, p, q private. 4. Alice represents her message as a pair of integers (m1 , m2 ) (mod n). She regards (m1 , m2 ) as a point M on the elliptic curve E given by y 2 = x3 + b

mod n,

where b = m22 − m31 (mod n) (she does not need to compute b). 5. Alice adds M to itself e times on E to obtain C = (c1 , c2 ) = eM . She sends C to Bob. 6. Bob computes M = dC on E to obtain M . We’ll discuss the security of the system shortly. But, first, there are several points that need to be discussed. 1. Note that the formulas for the addition law on E never use the value of b. Therefore, Alice and Bob never need to compute it. Eve can compute it, if she wants, as b = c22 − c31 . 2. The computation of eM and dC on E are carried out with the formulas for the group law on an elliptic curve, with all of the computations being done mod n. Several times during the computation, expressions such as (y2 − y1 )/(x2 − x1 ) are encountered. These are changed to integers mod n by finding the multiplicative inverse of (x2 − x1 ) mod n. This requires gcd(x2 − x1 , n) = 1. If the gcd is not 1, then it is p, q, or n. If we assume it is very hard to factor n, then we regard the possibility of the gcd being p or q as very unlikely. If the gcd is n, then the slope is infinite and the sum of the points in question is ∞. The usual rules for working with ∞ are followed. For technical details of working with elliptic curves mod n, see Section 2.11. By the Chinese Remainder Theorem, an integer mod n may be regarded as a pair of integers, one mod p and one mod q. Therefore, we can regard a point on E in Zn as a pair of points, one on E mod p and the other on E mod q. In this way, we have E(Zn ) = E(Fp ) ⊕ E(Fq ).

(6.1)

For example, the point (11, 32) on y 2 = x3 + 8 mod 35 can be regarded as the pair of points (1, 2)

mod 5,

(4, 4)

mod 7.

SECTION 6.8 A PUBLIC KEY SCHEME BASED ON FACTORING

183

Any such pair of points can be combined to obtain a point mod n. There is a technicality with points at infinity, which is discussed in Section 2.11. 3. Using (6.1), we see that the order of E(Zn ) is #E(Fp ) · #E(Fq ). By Proposition 4.33, E is supersingular mod p and mod q, so we find (by Corollary 4.32) that #E(Fp ) = p + 1 and #E(Fq ) = q + 1. Therefore, (p + 1)M = ∞ (mod p) and (q + 1)M = ∞ (mod q). This means that the decryption works: Write de = 1 + k(p + 1) for some integer k. Then dC = deM = (1+k(p+1))M = M +k(p+1)M = M +∞ = M

(mod p),

and similarly mod q. Therefore, dC = M . 4. A key point of the procedure is that the group order is independent of b. If Bob chooses a random elliptic curve y 2 = x3 + Ax + B over Zn , then he has to compute the group order, perhaps by computing it mod p and mod q. This is infeasible if p and q are chosen large enough to make factoring n infeasible. Also, if Bob fixes the elliptic curve, Alice will have difficulty finding points M on the curve. If she does the procedure of first choosing the x-coordinate as the message, then solving y 2 ≡ m3 + Am + B (mod n) for y, she is faced with the problem of computing square roots mod n. This is computationally equivalent to factoring n (see [121]). If Bob fixes only A (the formulas for the group operations depend only on A) and allows Alice to choose B so that her point lies on the curve, then his choice of e, d requires that the group order be independent of B. This is the situation in the above procedure. If Eve factors n as pq, then she knows (p + 1)(q + 1), so she can find d with ed ≡ 1 (mod (p + 1)(q + 1)). Therefore, she can decrypt Alice’s message. Suppose that Eve does not yet know the factorization of n, but she finds out the decryption exponent d. We claim that she can, with high probability, factor n. She does the following: 1. Writes ed − 1 = 2k v with v odd and with k ≥ 1 (k = 0 since p + 1 divides ed − 1). 2. Picks a random pair of integers R = (r1 , r2 ) mod n, lets b
= r22 − r13 , and regards R as a point on the elliptic curve E
given by y 2 = x3 + b
. 3. Computes R0 = vR. If R0 = ∞ mod n, start over with a new R. If R0 is ∞ mod exactly one of p, q, then Eve has factored n (see below). 4. For i = 0, 1, 2, . . . , k, computes Ri+1 = 2Ri .

184

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

5. If for some i, the point Ri+1 is ∞ mod exactly one of p, q, then Ri = (xi , yi ) with yi ≡ 0 mod one of p, q. Therefore, gcd(yi , n) = p or q. In this case, Eve stops, since she has factored n. 6. If for some i, Ri+1 = ∞ mod n, then Eve starts over with a new random point. In a few iterations, this should factor n. Since ed − 1 is a multiple of #E(Zn ), Rk = (ed − 1)R = edR − R = ∞. Therefore, each iteration of the procedure will eventually end with a point Rj
that is ∞ mod at least one of p, q. Let 2k be the highest power of 2 dividing p + 1. If we take a random point P in E(Fp ), then the probability is 1/2 that
the order of P is divisible by 2k . This follows easily from the fact that E(Fp )
is cyclic (see Exercise 6.6). In this case, Rk
−1 = 2k −1 vP = ∞ (mod p),

while Rk
= 2k vP = ∞ (mod p). If the order is not divisible by 2k , then

Rk
−1 = ∞ (mod p). Similarly, if 2k is the highest power of 2 dividing q + 1, then Rk

−1 = ∞ (mod q) half the time, and = ∞ (mod q) half the time. Since mod p and mod q are independent, it is easy to see that the sequence R0 , R1 , R2 , . . . reaches ∞ mod p and mod q at different indices i at least half the time. This means that for at least half of the choices of random starting points R, we obtain a factorization of n. If R0 = ∞ mod p, but not mod q, then somewhere in the calculation of R0 there was a denominator of a slope that was infinite mod p but not mod q. The gcd of this denominator with n yields p. A similar situation occurs if p and q are switched. Therefore, if R0 is infinite mod exactly one of the primes, Eve obtains a factorization, as claimed in step (3). We conclude that knowledge of the decryption exponent d is computationally equivalent to knowledge of the factorization of n.

6.9 A Cryptosystem Based on the Weil Pairing In Chapter 5, we saw how the Weil pairing could be used to reduce the discrete log problem on certain elliptic curves to the discrete log problem for the multiplicative group of a finite field. In the present section, we’ll present a method, due to Boneh and Franklin, that uses the Weil pairing on these curves to obtain a cryptosystem (other pairings could also be used). The reader may wonder why we use these curves, since the discrete log problem is easier on these curves. The reason is that the properties of the pairing are used in an essential way. The fact that the pairing can be computed quickly is vital for the present algorithm. This fact was also important in reducing the discrete log problem to finite fields. However, note that the discrete log

SECTION 6.9 A CRYPTOSYSTEM BASED ON THE WEIL PAIRING

185

problem in the finite field is still not trivial as long as the finite field is large enough. For simplicity, we’ll consider a specific curve, namely the one discussed in Section 6.2. Let E be defined by y 2 = x3 + 1 over Fp , where p ≡ 2 (mod 3). Let ω ∈ Fp2 be a primitive third root of unity. Define a map β : E(Fp2 ) → E(Fp2 ),

(x, y) → (ωx, y),

β(∞) = ∞.

Suppose P has order n. Then β(P ) also has order n. Define the modified Weil pairing e˜n (P1 , P2 ) = en (P1 , β(P2 )), where en is the usual Weil pairing and P1 , P2 ∈ E[n]. We showed in Lemma 6.1 that if 3
n and if P ∈ E(Fp ) has order exactly n, then e˜n (P, P ) is a primitive nth root of unity. Since E is supersingular, by Proposition 4.33, E(Fp ) has order p + 1. We’ll add the further assumption that p = 6 − 1 for some prime . Then 6P has order  or 1 for each P ∈ E(Fp ). In the system we’ll describe, each user has a public key based on her or his identity, such as an email address. A central trusted authority assigns a corresponding private key to each user. In most public key systems, when Alice wants to send a message to Bob, she looks up Bob’s public key. However, she needs some way of being sure that this key actually belongs to Bob, rather than someone such as Eve who is masquerading as Bob. In the present system, the authentication happens in the initial communication between Bob and the trusted authority. After that, Bob is the only one who has the information necessary to decrypt messages that are encrypted using his public identity. A natural question is why RSA cannot be used to produce such a system. For example, all users could share the same common modulus n, whose factorization is known only to the trusted authority (TA). Bob’s identity, call it bobid, would be his encryption exponent. The TA would then compute Bob’s secret decryption exponent and communicate it to him. When Alice sends Bob a message m, she encrypts it as mbobid (mod n). Bob then decrypts using the secret exponent provided by the TA. However, anyone such as Bob who knows an encryption and decryption exponent can find the factorization of n (using a variation of the method of Section 6.8), and thus read all messages in the system. Therefore, the system would not protect secrets. If, instead, a different n is used for each user, some type of authentication procedure is needed for a communication in order to make sure that the n is the correct one. This brings us back to the original problem. The system described in the following gives the basic idea, but is not secure against certain attacks. For ways to strengthen the system, see [15]. To set up the system, the trusted authority does the following: 1. Chooses a large prime p = 6 − 1 as above. 2. Chooses a point P of order  in E(Fp ).

186

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

3. Chooses hash functions H1 and H2 . The function H1 takes a string of bits of arbitrary length and outputs a point of order  on E (see Exercise 6.8). The function H2 inputs an element of order  in F× p2 and outputs a binary string of length n, where n is the length of the messages that will be sent. 4. Chooses a secret random s ∈ F×
and computes Ppub = sP . 5. Makes p, H1 , H2 , n, P, Ppub public, while keeping s secret. If a user with identity ID wants a private key, the trusted authority does the following: 1. Computes QID = H1 (ID). This is a point on E. 2. Lets DID = sQID . 3. After verifying that ID is the identification for the user with whom he is communicating, sends DID to this user. If Alice wants to send a message M to Bob, she does the following: 1. Looks up Bob’s identity, for example, ID [email protected] (written as a binary string) and computes QID = H1 (ID). 2. Chooses a random r ∈ F×
. 3. Computes gID = e˜
(QID , Ppub ). 4. Lets the ciphertext be the pair r c = (rP, M ⊕ H2 (gID )),

where ⊕ denotes XOR (= bitwise addition mod 2). Bob decrypts a ciphertext (u, v) as follows: 1. Uses his private key DID to compute hID = e˜
(DID , u). 2. Computes m = v ⊕ H2 (hID ). The decryption works because r e˜
(DID , u) = e˜
(sQID , rP ) = e˜
(QID , P )sr = e˜
(QID , Ppub )r = gID .

Therefore, r r e
(DID , u)) = (M ⊕ H2 (gID )) ⊕ H2 (gID ) = M. m = v ⊕ H2 (˜

EXERCISES

187

Exercises 6.1 Show that the map β in Section 6.2 is an isomorphism (it is clearly bijective; the main point is that it is a homomorphism). 6.2 (a) Suppose that the ElGamal signature scheme is used to produce the valid signed message (m, R, s), as in Section 6.5. Let h be an integer with gcd(h, N ) = 1. Assume gcd(f (R), N ) = 1. Let R
= hR,

s
≡ sf (R
)f (R)−1 h−1





−1

m ≡ mf (R )f (R)

(mod N ), (mod N ).

Show that (m
, R
, s
) is a valid signed message (however, it is unlikely that m
is a meaningful message, so this procedure does not affect the security of the system). (b) Suppose a hash function is used, so the signed messages are of the form (m, RH , sH ). Explain why this prevents the method of (a) from working. 6.3 Use the notation of Section 6.5. Let u, v be two integers with gcd(v, N ) = 1 and let R = uA + vB. Let s ≡ −v −1 f (R) (mod N ) and m ≡ su (mod N ). (a) Show that (m, R, s) is a valid signed message for the ElGamal signature scheme. (However, it is unlikely that m is a meaningful message.) (b) Suppose a hash function is used, so the signed messages are of the form (m, RH , sH ). Explain why this prevents the method of (a) from working. 6.4 Let E be an elliptic curve over Fq and let N = #E(Fq ). Alice has a message that she wants to sign. She represents the message as a point M ∈ E(Fq ). Alice has a secret integer a and makes public points A and B in E(Fq ) with B = aA, as in the ElGamal signature scheme. There is a public function f : E(Fq ) → Z/N Z. Alice performs the following steps. (a) She chooses a random integer k with gcd(k, N ) = 1. (b) She computes R = M − kA. (c) She computes s ≡ k −1 (1 − f (R)a) (mod N ). (d) The signed message is (M, R, s). Bob verifies the signature as follows.

188

CHAPTER 6 ELLIPTIC CURVE CRYPTOGRAPHY

(a) He computes V1 = sR − f (R)B and V2 = sM − A. (b) He declares the signature valid if V1 = V2 . Show that if Alice performs the required steps correctly, then the verification equation V1 = V2 holds. (This signature scheme is a variant of one due to Nyberg and Rueppel (see [12]). An interesting feature is that the message appears as an element of the group E(Fq ) rather than as an integer.) 6.5 Let p, q be prime numbers and suppose you know the numbers m = (p + 1)(q + 1) and n = pq. Show that p, q are the roots of the quadratic equation x2 − (m − n − 1)x + n = 0 (so p, q can be found using the quadratic formula). 6.6 Let E be the elliptic curve y 2 = x3 + b mod p, where p ≡ 2 (mod 3). (a) Suppose E[n] ⊆ E(Fp ) for some n ≡ 0 (mod p). Show that n|p − 1 and n2 |p + 1. Conclude that n ≤ 2. (b) Show that E[2] ⊆ E(Fp ). (c) Show that E(Fp ) is cyclic (of order p + 1). 6.7 Let p ≡ 3 (mod 4) be a prime number. Suppose x ≡ y 2 (mod p). (a) Show that (y (p+1)/2 )2 ≡ y 2 (mod p). (b) Show that y (p+1)/2 ≡ ±y (mod p). (c) Show that x(p+1)/4 is a square root of x (mod p). (d) Suppose z is not a square mod p. Using the fact that −1 is not a square mod p, show that −z is a square mod p. (e) Show that z (p+1)/4 is a square root of −z (mod p). 6.8 Let p = 6 − 1 and E be as in Section 6.9. The hash function H1 in that section inputs a string of bits of arbitrary length and outputs a point of order  on E. One way to do this is as follows. (a) Choose a hash function H that outputs integers mod p. Input a binary string B. Let the output of H be the y coordinate of a point: y = H(B). Show that there is a unique x mod p such that (x, y) lies on E. (b) Let H1 (B) = 6(x, y). Show that H1 (B) is a point of order  or 1 on E. Why is it very unlikely that H1 (B) has order 1?

Chapter 7 Other Applications In the 1980s, about the same time that elliptic curves were being introduced into cryptography, two related applications of elliptic curves were found, one to factoring and one to primality testing. These are generalizations of classical methods that worked with multiplicative groups Z× n . The main advantage of elliptic curves stems from the fact that there are many elliptic curves mod a number n, so if one elliptic curve doesn’t work, another can be tried. The problems of factorization and primality testing are related, but are very different in nature. The largest announced factorization up to the year 2007 was of an integer with 200 digits. However, it was at that time possible to prove primality of primes of several thousand digits. It is possible to prove that a number is composite without finding a factor. One way is to show that an−1
≡ 1 (mod n) for some a with gcd(a, n) = 1. Fermat’s little theorem says that if n is prime and gcd(a, n) = 1, then an−1 ≡ 1 (mod n), so it follows that n must be composite, even though we have not produced a factor. Of course, if an−1 ≡ 1 (mod n) for several random choices of a, we might suspect that n is probably prime. But how can we actually prove n is prime? If n has only a few digits, we can divide n by each of the √ primes up to n. However, if n has hundreds of digits, this method will take too long (much longer than the predicted life of the universe). In Section 7.2, we discuss efficient methods for proving primality. Similarly, suppose we have proved that a number is composite. How do we find the factors? This is a difficult computational problem. If the smallest prime √ factor of n has more than a few digits, then trying all prime factors up to n cannot work. In Section 7.1, we give a method that works well on numbers n of around 60 digits.

7.1 Factoring Using Elliptic Curves In the mid 1980s, Hendrik Lenstra [75] gave new impetus to the study of elliptic curves by developing an efficient factoring algorithm that used elliptic

189

190

CHAPTER 7 OTHER APPLICATIONS

curves. It turned out to be very effective for factoring numbers of around 60 decimal digits, and, for larger numbers, finding prime factors having around 20 to 30 decimal digits. We start with an example. Example 7.1 We want to factor 4453. Let E be the elliptic curve y 2 = x3 + 10x − 2 mod 4453 and let P = (1, 3). Let’s try to compute 3P . First, we compute 2P . The slope of the tangent line at P is 13 3x2 + 10 = ≡ 3713 2y 6

(mod 4453).

We used the fact that gcd(6, 4453) = 1 to find 6−1 ≡ 3711 (mod 4453). Using this slope, we find that 2P = (x, y), with x ≡ 37132 − 2 ≡ 4332,

y ≡ −3713(x − 1) − 3 ≡ 3230.

To compute 3P , we add P and 2P . The slope is 3227 3230 − 3 = . 4332 − 1 4331 But gcd(4331, 4453) = 61
= 1. Therefore, we cannot find 4331−1 (mod 4453), and we cannot evaluate the slope. However, we have found the factor 61 of 4453, and therefore 4453 = 61 · 73. Recall (Section 2.11) that E(Z4453 ) = E(F61 ) ⊕ E(F73 ). If we look at the multiples of P mod 61 we have P ≡ (1, 3), 2P ≡ (1, 58), 3P ≡ ∞, 4P ≡ (1, 3), . . .

(mod 61).

However, the multiples of P mod 73 are P ≡ (1, 3), 2P ≡ (25, 18), 3P ≡ (28, 44), . . . , 64P ≡ ∞ (mod 73). Therefore, when we computed 3P mod 4453, we obtained ∞ mod 61 and a finite point mod 73. This is why the slope had a 61 in the denominator and was therefore infinite mod 61. If the order of P mod 73 had been 3 instead of 64, the slope would have had 0 mod 4453 in its denominator and the gcd would have been 4453, which would have meant that we did not obtain the factorization of 4453. But the probability is low that the order of a point mod 61 is exactly the same as the order of a point mod 73, so this situation will usually not cause us much trouble. If we replace 4453 with a much larger composite number n and work with an elliptic curve mod n and a point P

SECTION 7.1 FACTORING USING ELLIPTIC CURVES

191

on E, then the main problem we’ll face is finding some integer k such that kP = ∞ mod one of the factors of n. In fact, we’ll often not obtain such an integer k. But if we work with enough curves E, it is likely that at least one of them will allow us to find such a k. This is the key property of the elliptic curve factorization method. Before we say more about elliptic curves, let’s look at the classical p − 1 factorization method. We start with a composite integer n that we want to factor. Choose a random integer a and a large integer B. Compute a1 ≡ aB!

(mod n), and gcd(a1 − 1, n).

Note that we do not compute aB! and then reduce mod n, since that would overflow the computer. Instead, we can compute aB! mod n recursively by b
ab! ≡ a(b−1)! (mod n), for b = 2, 3, 4, . . . , B. Or we can write B! in binary and do modular exponentiation by successive squaring. We say that an integer m is B-smooth if all of the prime factors of m are less than or equal to B. For simplicity, assume n = pq is the product of two large primes. Suppose that p − 1 is B-smooth. Since B! contains all of the primes up to B, it is likely that B! is a multiple of p − 1 (the main exception is when p − 1 is divisible by the square of a prime that is between B/2 and B). Therefore, a1 ≡ aB! ≡ 1 (mod p) by Fermat’s little theorem (we ignore the very unlikely case that p|a). Now suppose q − 1 is divisible by a prime
> B. Among all the elements in the cyclic group Z× q , there are at most (q − 1)/
that have order not divisible by
and at least (
− 1)(q − 1)/
that have order divisible by
. (These numbers are exact if
2
q − 1.) Therefore, it is very likely that the order of a is divisible by
, and therefore a1 ≡ aB!
≡ 1

(mod q).

Therefore, a1 − 1 is a multiple of p but is not a multiple of q, so gcd(a1 − 1, pq) = p. If all the prime factors of q − 1 are less than B, we usually obtain gcd(a1 − 1, n) = n. In this case, we can try a smaller B, or use various other procedures (similar to the one in Section 6.8). The main problem is choosing B so that p − 1 (or q − 1) is B-smooth. If we choose B small, the probability of this is low. If we choose B very large, then the computation of a1 becomes too lengthy. So we need to choose B of medium size, maybe around 108 . But what if both p − 1 and q − 1 have prime factors of around 20 decimal digits? We could keep trying various random choices of a, hoping to get lucky. But the above calculation shows that if there is a prime

with

|p − 1 but

> B,

192

CHAPTER 7 OTHER APPLICATIONS

then the chance that a1 ≡ 1 (mod p) is at most 1/

. This is very small if

≈ 1020 . There seems to be no way to get the method to work. The elliptic curve method has a much better chance of success in this case because it allows us to change groups. In the elliptic curve factorization method, we will need to choose random elliptic curves mod n and random points on these curves. A good way to do this is as follows. Choose a random integer A mod n and a random pair of integers P = (u, v) mod n. Then choose C (the letter B is currently being used for the bound) such that C = v 2 − u3 − Au

(mod n).

This yields an elliptic curve y 2 = x3 + Ax + C with a point (u, v). This is much more efficient than the naive method of choosing A, C, u, then trying to find v. In fact, since being able to find square roots mod n is computationally equivalent to factoring n, this naive method will almost surely fail. Here is the elliptic curve factorization method. We start with a composite integer n (assume n is odd) that we want to factor and do the following. 1. Choose several (usually around 10 to 20) random elliptic curves Ei : y 2 = x3 + Ai x + Bi and points Pi mod n. 2. Choose an integer B (perhaps around 108 ) and compute (B!)Pi on Ei for each i. 3. If step 2 fails because some slope does not exist mod n, then we have found a factor of n. 4. If step 2 succeeds, increase B or choose new random curves Ei and points Pi and start over. Steps 2, 3, 4 can often be done in parallel using all of the curves Ei simultaneously. The elliptic curve method is very successful in finding a prime factor p of n when p < 1040 . Suppose we have a random integer n of around 100 decimal digits, and we know it is composite (perhaps, for example, 2n−1
≡ 1 (mod n), so Fermat’s little theorem implies that n is not prime). If we cannot find a small prime factor (by testing all of the primes up to 107 , for example), then the elliptic curve method is worth trying since there is a good chance that n will have a prime factor less than 1040 . Values of n that are used in cryptographic applications are now usually chosen as n = pq with both p and q large (at least 75 decimal digits). For such numbers, the quadratic sieve and the number field sieve factorization methods outperform the elliptic curve method. However, the elliptic curve method is sometimes used inside these methods to look for medium sized prime factors of numbers that appear in intermediate steps.

SECTION 7.1 FACTORING USING ELLIPTIC CURVES

193

Why does the elliptic curve method work? For simplicity, assume n = pq. A random elliptic curve E mod n can be regarded as an elliptic curve mod p and an elliptic curve mod q. We know, by Hasse’s theorem, that √ √ p + 1 − 2 p < #E(Fp ) < p + 1 + 2 p. √ √ In fact, each integer in the interval (p + 1 − 2 p, p + 1 + 2 p) occurs for some elliptic curve. If B is of reasonable size, then the density of B-smooth integers in this interval is high enough, and the distribution of orders of random elliptic curves is sufficiently uniform. Therefore, if we choose several random E, at least one will probably have B-smooth order. In particular, if P lies on this E, then it is likely that (B!)P = ∞ (mod p) (as in the p − 1 method, the main exception occurs when the order is divisible by the square of a prime near B). It is unlikely that the corresponding point P on E mod q will satisfy (B!)P = ∞ (mod q). (If it does, choose a smaller B or use the techniques of Section 6.8 to factor n.) Therefore, when computing (B!)P (mod n), we expect to obtain a slope whose denominator is divisible by p but not by q. The gcd of this denominator with n yields the factor p. In summary, the difference between the p − 1 method and the elliptic curve method is the following. In the p − 1 method, there is a reasonable chance that p − 1 is B-smooth, but if it is not, there is not much we can do. In the elliptic curve method, there is a reasonable chance that #E(Fp ) is B-smooth, but if it is not we can choose another elliptic curve E. It is interesting to note that the elliptic curve method, when applied to singular curves (see Section 2.10), yields classical factorization methods. First, let’s consider the curve E given by y 2 = x2 (x + 1) mod n. We showed in Theorem 2.31 that the map (x, y) →

x+y x−y

is an isomorphism from Ens = E(Zn )\(0, 0) to Z× n . (Actually, we only showed this for fields. But it is true mod p and mod q, so the Chinese Remainder Theorem allows us to get the result mod n = pq.) A random point P on Ens corresponds to a random a ∈ Z× n . Calculating (B!)P corresponds to computing a1 ≡ aB! (mod n). We have (B!)P = ∞ (mod p) if and only if a1 ≡ 1 (mod p), since ∞ and 1 are the identity elements of their respective groups. Fortunately, we have ways to extract the prime factor p of n in both cases. The first is by computing the gcd in the calculation of a slope. The second is by computing gcd(a1 − 1, n). Therefore, we see that the elliptic curve method for the singular curve y 2 = x2 (x + 1) is really the p − 1 method in disguise. If we consider y 2 = x2 (x + a) when a is not a square mod p, then we get the classical p + 1 factoring method (see Exercise 7.2). Now let’s consider E given by y 2 = x3 . By Theorem 2.30, the map x (x, y) → y

194

CHAPTER 7 OTHER APPLICATIONS

is an isomorphism from Ens = E(Zn ) \ (0, 0) to Zn , regarded as an additive group. A random point P in Ens corresponds to a random integer a mod n. Computing (B!)P corresponds to computing (B!)a (mod n). We have (B!)P = ∞ (mod p) if and only if (B!)a ≡ 0 (mod p), which occurs if and only if p ≤ B (note that this is much less likely than having p − 1 be Bsmooth). Essentially, this reduces to the easiest factorization method: divide n by each of the primes up to B. This method is impractical if the smallest prime factor of n is not small. But at least it is almost an efficient way to do it. If we replace B! by the product Q of primes up to B, then computing gcd(Q, n) is often faster than trying each prime separately.

7.2 Primality Testing Suppose n is an integer of several hundred decimal digits. It is usually easy to decide with reasonable certainty whether n is prime or composite. But suppose we actually want to prove that our answer is correct. If n is composite, then usually either we know a nontrivial factor (so the proof that n is composite consists of giving the factor) or n failed a pseudoprimality test (for example, perhaps an−1
≡ 1 (mod n) for some a). Therefore, when n is composite, it is usually easy to prove it, and the proof can be stated in a form that can be checked easily. But if n is prime, the situation is more difficult. Saying that n passed several pseudoprimality tests indicates that n is probably prime, but does √ not prove that n is prime. Saying that a computer checked all primes up to n is not very satisfying (and is not believable when n has several hundred digits). Cohen and Lenstra developed methods involving Jacobi sums that work well for primes of a few hundred digits. However, for primes of a thousand digits or more, the most popular method currently in use involves elliptic curves. (Note: For primes restricted to special classes, such as Mersenne primes, there are special methods. However, we are considering randomly chosen primes.) The elliptic curve primality test is an elliptic curve version of the classical Pocklington-Lehmer primality test. Let’s look at it first. PROPOSITION 7.1 √ Let n > 1 be an integer, and let n − 1 = rs with r ≥ n. Suppose that, for each prime
|r, there exists an integer a
with ≡1 an−1
Then n is prime.

  (n−1)/
(mod n) and gcd a
− 1, n = 1.

SECTION 7.2 PRIMALITY TESTING

195

PROOF Let p be a prime factor of n and let
e be the highest power of
(n−1)/
e (mod p). Then dividing r. Let b ≡ a
e

e−1

(n−1)/


b
≡ an−1 ≡ 1 (mod p) and b
≡ a

≡ 1 (mod p),
  (n−1)/
since gcd a
− 1, n = 1. It follows that the order of b (mod p) is
e . Therefore,
e |p − 1. Since this is true for every prime power factor
e of r, we have r|p − 1. In particular, √ p > r ≥ n. √ If n is composite, it must have a prime factor at most n. We have shown this is not the case, so n is prime. REMARK 7.2

A converse of Proposition 7.1 is true. See Exercise 7.3.

Example 7.2 Let n = 153533. Then n − 1 = 4 · 131 · 293. Let r = 4 · 131. The primes dividing r are
= 2 and
= 131. We have   2n−1 ≡ 1 (mod n) and gcd 2(n−1)/2 − 1, n = 1, so we can take a2 = 2. Also,

  2n−1 ≡ 1 (mod n) and gcd 2(n−1)/131 − 1, n = 1,

so we can take a131 = 2, also. The hypotheses of Proposition 7.1 are satisfied, so we have proved that 153533 is prime. The fact that a2 = a131 can be regarded as coincidence. In fact, we could take a2 = a131 = a293 = 2, which shows that 2 is a primitive root mod 153533 (see Appendix A). So, in a sense, the calculations for the Pocklington-Lehmer test can be regarded as progress towards showing that there is a primitive root mod n (see Exercise 7.3). Of course, to make the proof complete, we should prove that 2 and 131 are primes. We leave the case of 2 as an exercise and look at 131. We’ll use the Pocklington-Lehmer test again. Write 130 = 2 · 5 · 13. Let r = 13, so we have only one prime
, namely
= 13. We have
 2130 ≡ 1 (mod 131) and gcd 210 − 1, 131 = 1. Therefore, we can take a13 = 2. The Pocklington-Lehmer test implies that 131 is prime. Of course, we need the fact that 13 is prime, but 13 is small enough to check by trying possible factors. We can compactly record the proof that an integer n is prime by stating the values of the prime factors
of r and the corresponding integers a
. We

196

CHAPTER 7 OTHER APPLICATIONS

should also include proofs of primality of each of these primes
. And we should include proofs of primality of the auxiliary primes used in the proofs for each
, etc. Anyone can use this information to verify our proof. We never need to say how we found the numbers a
, nor how we factored r. √ What happens if we cannot find enough factors of n − 1 to obtain r ≥ n such that we know all the prime factors
of r? This is clearly a possibility if we are working with n of a thousand digits. As in the case of the p−1 factoring method in Section 7.1, an elliptic curve analogue comes to the rescue. Note that the number n − 1 that we need to factor is the order of the group Z× n . If we can use elliptic curves, we can replace n − 1 with a group order near n, but there will be enough choices for the elliptic curve that we can probably find a number that can be partially factored. The following is due to Goldwasser and Kilian [47]. Recall that a finite point in E(Zn ) is a point (x, y) with x, y ∈ Zn . This is in contrast to the points in E(Zn ) that are infinite mod some of the factors of n and therefore cannot be expressed using coordinates in Zn . See Section 2.10. THEOREM 7.3 Let n > 1 and let E be an elliptic curve mod n. Suppose there exist distinct prime numbers
1 , . . . ,
k and finite points Pi ∈ E(Zn ) such that 1.
i Pi = ∞ for 1 ≤ i ≤ k
2 k 2. i=1
i > n1/4 + 1 . Then n is prime. Let p be a prime factor of n. Write n = pf n1 with p
n1 . Then

PROOF

E(Zn ) = E(Zpf ) ⊕ E(Zn1 ). Since Pi is a finite point in E(Zn ), it yields a finite point in E(Zpf ), namely Pi mod pf . We can further reduce and obtain a finite point Pi,p = Pi mod p in E(Fp ). Since
i Pi = ∞ mod n, we have
i Pi = ∞ mod every factor of n. In particular,
i Pi,p = ∞ in E(Fp ), which means that Pi,p has order
i . It follows that
i | #E(Fp )  for all i, so #E(Fp ) is divisible by
i . Therefore, 

1/4

n

k 2   2 √ +1 <
i ≤ #E(Fp ) < p + 1 + 2 p = p1/2 + 1 , i=1

√ √ so p > n. Since all prime factors of n are greater than n, it follows that n is prime.

EXERCISES

197

Example 7.3 Let n = 907. Let E be the elliptic curve y 2 = x3 + 10x − 2 mod n. Let
= 71. Then  
> 9071/4 + 1

2

≈ 42.1.

Let P = (819, 784). Then 71P = ∞. Theorem 7.3 implies that 907 is prime. Of course, we needed the fact that 71 is prime, which could also be proved using Theorem 7.3, or by direct calculation. How did we find E and P ? First, we looked at a few elliptic curves mod 907 until we found one whose order was divisible by a prime
that was slightly larger than 42.1. (If we had chosen
≈ 907 then we wouldn’t have made much progress, since we would still have needed to prove the primality of
). In fact, to find the order of the curve, we started with curves where we knew a point. In the present case, E has the point (1, 3). Using Baby Step, Giant Step, we found the order of (1, 3) to be 923 = 13·71. Then we took P = 13(1, 3), which has order 71. For large n, the hardest part of the algorithm is finding an elliptic curve E with a suitable number of points. One possibility is to choose random elliptic curves mod n and compute their orders, for example, using Schoof’s algorithm, until an order is found that has a suitable prime factor
. A more efficient procedure, due to Atkin and Morain (see [7]), uses the theory of complex multiplication to find suitable curves. As in the Pocklington-Lehmer test, once a proof of primality is found, it can be recorded rather compactly. The Goldwasser-Kilian test has been used to prove the primality of numbers of more than 1000 decimal digits.

Exercises 7.1 Let E be y 2 = x3 − 20x + 21 mod 35, and let P = (15, −4). (a) Factor 35 by trying to compute 3P . (b) Factor 35 by trying to compute 4P by doubling twice. (c) Compute both 3P and 4P on E mod 5 and on E mod 7. Explain why the factor 5 is obtained by computing 3P and 7 is obtained by computing 4P . 7.2 This exercise shows that when the elliptic curve factorization method is applied to the singular curve y 2 = x2 (x+a) where a is not a square mod a prime p, then we obtain a method equivalent to the p + 1 factoring method [134]. We first describe a version of the p + 1 method. Let p be an odd prime factor of the integer n that we want to factor. Let t0 = 2 and choose a random integer t1 mod n. Define tm by the recurrence

198

CHAPTER 7 OTHER APPLICATIONS

relation tm+2 = t1 tm+1 − tm for m ≥ 0. Let β, γ be the two roots of f (X) = X 2 − t1 X + 1 in Fp2 . Assume that t21 − 4 is not a square in Fp , so β, γ
∈ Fp . Let sm = β m + γ m for m ≥ 0. Show that β m+2 = t1 β m+1 − β m for m ≥ 0, and similarly for γ. Show that sm+2 = t1 sm+1 − sm for all m ≥ 0. Show that tm ≡ sm (mod p) for all m ≥ 0. Show that β p is a root of f (X) (mod p), and that β p
= β. Therefore, γ = β p . (e) Show that β p+1 = 1 and γ p+1 = 1. (f) Show that tp+1 − 2 ≡ 0 (mod p). (g) Show that if p + 1|B! for some bound B (so p + 1 is B-smooth) then gcd(tB! − 2, n) is a multiple of p. Since there are ways to compute tB! mod n quickly, this gives a factorization method.

(a) (b) (c) (d)

We now show the relation with the elliptic curve factorization method. Consider a curve E given by y 2 = x2 (x + a) mod n, where a is not a square mod p. Choose a random point P on E. To factor n by the elliptic curve method, we compute B!P √ . By Theorem 2.31, P mod p corresponds to an element β = u + v a ∈ Fp2 with u2 − v 2 a = 1. (h) Show that β is a root of X 2 − 2uX + 1. (i) Show that B!P = ∞ mod p if and only if β B! = 1 in Fp2 . (j) Let t1 = 2u and define the sequence tm as above. Show that B!P = ∞ mod p if and only if p divides gcd(tB! − 2, n). Therefore, the elliptic curve method factors n exactly when the p + 1 method factors n. 7.3 (a) Show that if n is prime and g is a primitive root mod n, then a
= g satisfies the hypotheses of Proposition 7.1 for all
. (b) Suppose we take r = n − 1 and s = 1 in Proposition 7.1, and suppose that there is some number g such that a
= g satisfies the conditions on a
for each
. Show that g is a primitive root mod n. (Hint: What power of
divides the order of g mod n?) 7.4 The proof of Theorem 7.3 works for singular curves given by a Weierstrass equation where the cubic has a double root, as in Theorem 2.31. This yields a theorem that uses Z× n , rather than E(Zn ), to prove that n is prime. State Theorem 7.3 in this case in terms of Z× n . (Remark: The analogue of Theorem 7.3 for Zn is rather trivial. The condition that Pi is a finite point becomes the condition that Pi is a number mod n such that gcd(Pi , n) = 1 (that is, it is not the identity for the group law mod any prime factor of n). Therefore
i Pi = ∞ translates to
i Pi ≡ 0 (mod n), which implies that
i ≡ 0 (mod n). Since
i is prime, we must have n =
i . Hence n is prime.)

Chapter 8 Elliptic Curves over Q As we saw in Chapter 1, elliptic curves over Q represent an interesting class of Diophantine equations. In the present chapter, we study the group structure of the set of rational points of an elliptic curve E defined over Q. First, we show how the torsion points can be found quite easily. Then we prove the Mordell-Weil theorem, which says that E(Q) is a finitely generated abelian group. As we’ll see in Section 8.6, the method of proof has its origins in Fermat’s method of infinite descent. Finally, we reinterpret the descent calculations in terms of Galois cohomology and define the Shafarevich-Tate group.

8.1 The Torsion Subgroup. The Lutz-Nagell Theorem The torsion subgroup of E(Q) is easy to calculate. In this section we’ll give examples of how this can be done. The crucial step is the following theorem, which was used in Chapter 5 to study anomalous curves. For convenience, we repeat some of the notation introduced there. Let a/b
= 0 be a rational number, where a, b are relatively prime integers. Write a/b = pr a1 /b1 with p
a1 b1 . Define the p-adic valuation to be vp (a/b) = r. For example, v2 (7/40) = −3, v5 (50/3) = 2, and v7 (1/2) = 0. Define vp (0) = +∞ (so vp (0) > n for every integer n). Let E be an elliptic curve over Z given by y 2 = x3 + Ax + B. Let r ≥ 1 be an integer. Define Er = {(x, y) ∈ E(Q) | vp (x) ≤ −2r,

vp (y) ≤ −3r} ∪ {∞}.

These are the points such that x has at least p2r in its denominator and y has at least p3r in its denominator. These should be thought of as the points that are close to ∞ mod powers of p (that is, p-adically close to ∞).

199

200

CHAPTER 8 ELLIPTIC CURVES OVER Q

THEOREM 8.1 Let E be given by y 2 = x3 + Ax + B with A, B ∈ Z. Let p be a prime and let r be a positive integer. Then 1. Er is a subgroup of E(Q). 2. If (x, y) ∈ E(Q), then vp (x) < 0 if and only if vp (y) < 0. In this case, there exists an integer r ≥ 1 such that vp (x) = −2r and vp (y) = −3r. 3. The map λr : Er /E5r → Zp4r

(x, y) → p−r x/y ∞ → 0

(mod p4r )

is an injective homomorphism (where Zp4r is a group under addition). 4. If (x, y) ∈ Er but (x, y)
∈ Er+1 , then λr (x, y)
≡ 0 (mod p). REMARK 8.2 The map λr should be regarded as a logarithm for the group Er /E5r since it changes the law of composition in the group to addition in Zp4r , just as the classical logarithm changes the composition law in the multiplicative group of positive real numbers to addition in R. PROOF The denominator of x3 + Ax + B equals the denominator of y 2 . It is easy to see that the denominator of y is divisible by p if and only if the denominator of x is divisible by p. If pj , with j > 0, is the exact power of p dividing the denominator of y, then p2j is the exact power of p in the denominator of y 2 . Similarly, if pk , with k > 0, is the exact power of p dividing the denominator of x, then denominator of x3 + Ax + B is exactly divisible by p3k . Therefore, 2j = 3k. It follows that there exists r with j = 3r and k = 2r. This proves (2). Also, we see that {(x, y) ∈ Er | vp (x) = −2r, vp (y) = −3r} = {(x, y) ∈ Er | vp (x/y) = r} is the set of points in Er not in Er+1 . This proves (4). Moreover, if λr (x, y) ≡ 0 (mod p4r ), then vp (x/y) ≥ 5r, so (x, y) ∈ E5r . This proves that λr is injective (as soon as we prove it is a homomorphism). Let x 1 t= , s= . y y Dividing the equation y 2 = x3 + Ax + B by y 3 yields 1 = y


3

2
3 x x 1 1 +A +B , y y y y

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

201

which can be written as s = t3 + Ats2 + Bs3 . In the following, it will be convenient to write pj |z for a rational number z when pj divides the numerator of z. Similarly, we’ll write z ≡ 0 (mod pj ) in this case. These extended notions of divisibility and congruence satisfy properties similar to those for the usual notions. LEMMA 8.3 (x, y) ∈ Er if and only if p3r |s. If p3r |s, then pr |t. PROOF If (x, y) ∈ Er , then p3r divides the denominator of y, so p3r divides the numerator of s = 1/y. Conversely, suppose p3r |s. Then p3r divides the denominator of y. Part (2) of the theorem shows that p2r divides the denominator of x. Therefore, (x, y) ∈ Er . If p3r |s, then the exact power of p dividing the denominator of y is p3k , with k ≥ r. Part (2) of the theorem implies that the exact power of p dividing t = x/y is pk . Since k ≥ r, we have pr |t. We now continue with the proof of Theorem 8.1. Let λr be as in the statement of the theorem. Note that λr (−(x, y)) = λr (x, −y) = −p−r x/y = −λr (x, y). We now claim that if P1 + P2 + P3 = ∞ then λr (P1 ) + λr (P2 ) + λr (P3 ) ≡ 0 (mod p4r ). The proof will also show that if P1 , P2 ∈ Er , then P3 ∈ Er (hence Er is a subgroup). Therefore, λr (P1 + P2 ) = λr (−P3 ) = −λr (P3 ) = λr (P1 ) + λr (P2 ), so λr is a homomorphism. Recall that three points add to ∞ if and only if they are collinear (Exercise 2.6). To prove the claim, let P1 , P2 , P3 lie on the line ax + by + d = 0 and assume that P1 , P2 ∈ Er . Dividing by y yields the s, t line at + b + ds = 0. Let Pi
denote the point Pi written in terms of the s, t coordinates. In other words, if Pi = (xi , yi ),

202

CHAPTER 8 ELLIPTIC CURVES OVER Q

then Pi
= (si , ti ) with si = 1/yi ,

ti = xi /yi .

P1
, P2
, P3


The points lie on the line at + b + ds = 0. Since P1 , P2 ∈ Er , Lemma 8.3 implies that p3r |si ,

pr |ti ,

for i = 1, 2.

As discussed in Section 2.4, at a finite point (x, y), the order of intersection of the line ax+by +d = 0 and the curve y 2 = x3 +Ax+B can be calculated by using projective coordinates and considering the line aX + bY + dZ = 0 and the curve ZY 2 = X 3 + AXZ 2 + BZ 3 . In this case, x = X/Z and y = Y /Z. If we start with a line at + b + ds = 0 and the curve s = t3 + Ats2 + Bs3 , we can homogenize to get aT + bU + dS = 0 and SU 2 = T 3 + AT S 2 + BS 3 . In this case, we have t = T /U and s = S/U . If we let Z = S, Y = U , X = T , we find that we are working with the same line and curve as above. A point (x, y) corresponds to t = T /U = X/Y = x/y and s = S/U = Z/Y = 1/y. Since orders of intersection can be calculated using the projective models, it follows that the order of intersection of the line ax + by + d = 0 with the curve y 2 = x3 + Ax + B at (x, y) is the same as the order of intersection of the line at + b + ds = 0 with the curve s = t3 + Ats2 + Bs3 at (s, t) = (1/y, x/y). For example, the line and curve are tangent in the variables x, y if and only if they are tangent in the variables t, s. This allows us to do the elliptic curve group calculations using t, s instead of x, y. LEMMA 8.4 A line t = c, where c ∈ Q is a constant with c ≡ 0 (mod p), intersects the curve s = t3 + As2 t + Bs3 in at most one point (s, t) with s ≡ 0 (mod p). This line is not tangent at such a point of intersection. PROOF Suppose we have two values of s, call them s1 , s2 with s1 ≡ s2 ≡ 0 (mod p). Suppose s1 ≡ s2 (mod pk ) for some k ≥ 1. Write si = ps
i . Then 2 2 2 2 s
1 ≡ s
2 (mod pk−1 ), so s
1 ≡ s
2 (mod pk−1 ), so s21 = p2 s
1 ≡ p2 s
2 = s22 (mod pk+1 ). Similarly, s31 ≡ s32 (mod pk+2 ). Therefore, s1 = c3 + Acs21 + Bs31 ≡ c3 + Acs22 + Bs32 = s2

(mod pk+1 ).

By induction, we have s1 ≡ s2 (mod pk ) for all k. It follows that s1 = s2 , so there is at most one point of intersection with s ≡ 0 (mod p).

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

203

The slope of the tangent line to the curve can be found by implicit differentiation: ds ds ds = 3t2 + As2 + 2Ast + 3Bs2 , dt dt dt so 3t2 + As2 ds = . dt 1 − 2Ast − 3Bs2 If the line t = c is tangent to the curve at (s, t), then 1 − 2Ast − 3Bs2 = 0. But s ≡ t ≡ 0 (mod p) implies that 1 − 2Ast − 3Bs2 ≡ 1
≡ 0 (mod p). Therefore, t = c is not tangent to the curve. If d = 0, then our line is of the form in the lemma. But it passes through the points P1
and P2
, so we must have P1
= P2
, and the line is tangent to the curve. Changing back to x, y coordinates, we obtain P1 = P2 . The definition of the group law says that since the points P1 and P2 are equal, the line ax + by + d = 0 is tangent at (x, y). As pointed out above, this means that at + b + ds = 0 is tangent at (s, t). The lemma says that this cannot happen. Therefore, d
= 0. Dividing by d, we obtain s = αt + β for some α, β ∈ Q. Then P1
, P2
, P3
lie on the line s = αt + β. LEMMA 8.5 α=

PROOF we have

t22 + t1 t2 + t21 + As22 . 1 − A(s1 + s2 )t1 − B(s22 + s1 s2 + s21 )

If t1
= t2 , then α = (s2 −s1 )/(t2 −t1 ). Since si = t3i +As2i ti +Bs3i ,   (s2 − s1 ) 1 − A(s1 + s2 )t1 − B(s22 + s1 s2 + s21 ) = (s2 − s1 ) − A(s22 − s21 )t1 − B(s32 − s31 )

= (s2 − As22 t2 − Bs32 ) − (s1 − As21 t1 − Bs31 ) + As22 (t2 − t1 ) = t32 − t31 + As22 (t2 − t1 ) = (t2 − t1 )(t22 + t1 t2 + t21 + As22 ).

This proves that (s2 − s1 )/(t2 − t1 ) equals the expression in the lemma. Now suppose that t1 = t2 . Since a line t = c with c ≡ 0 (mod p) intersects the curve s = t3 + As2 t + Bs3 in only one point with s ≡ 0 (mod p) by Lemma 8.4, the points (s1 , t1 ) and (s2 , t2 ) must be equal. The line s = αt + β

204

CHAPTER 8 ELLIPTIC CURVES OVER Q

is therefore the tangent line at this point, and the slope is computed by implicit differentiation of s = t3 + Ats2 + Bs3 : ds ds ds = 3t2 + As2 + 2Ast + 3Bs2 . dt dt dt Solving for ds/dt yields the expression in the statement of the lemma when t1 = t2 = t and s1 = s2 = s. Since s1 ≡ s2 ≡ 0 (mod p), we find that the denominator 1 − A(s1 + s2 )t1 − B(s22 + s1 s2 + s21 ) ≡ 1 (mod p). Since pr |ti , we have t22 + t1 t2 + t21 + As22 ≡ 0 (mod p2r ). Therefore, α ≡ 0 (mod p2r ). Since p3r |si , we have β = si − αti ≡ 0

(mod p3r ).

The point P3
is the third point of intersection of the line s = αt + β with s = t3 + As2 t + Bs3 . Therefore, we need to solve for t: αt + β = t3 + A(αt + β)2 t + B(αt + β)3 . This can be rearranged to obtain 0 = t3 +

2Aαβ + 3Bα2 β 2 t + ··· . 1 + Bα3 + Aα2

The sum of the three roots is the negative of the coefficient of t2 , so 2Aαβ + 3Bα2 β 1 + Bα3 + Aα2 ≡ 0 (mod p5r ).

t1 + t2 + t3 = −

The last congruence holds because p2r |α and p3r |β. Since t1 ≡ t2 ≡ 0 (mod pr ), we have t3 ≡ 0 (mod pr ). Therefore, s3 = αt3 + β ≡ 0 (mod p3r ). By Lemma 8.3, P3 ∈ Er . Moreover, λr (P1 ) + λr (P2 ) + λr (P3 ) ≡ p−r (t1 + t2 + t3 ) ≡ 0

(mod p4r ).

Therefore, λr is a homomorphism. This completes the proof of Theorem 8.1.

COROLLARY 8.6 Let the notations be as in Theorem 8.1. If n > 1 and n is not a power of p, then E1 contains no points of exact order n. (See also Theorem 8.9.)

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

205

PROOF Suppose P ∈ E1 has order n. Since n is not a power of p, we may multiply P by the largest power of p dividing n and obtain a point, not equal to ∞, of order prime to p. Therefore, we may assume that P has order n with p
n. Let r be the largest integer such that P ∈ Er . Then nλr (P ) = λr (nP ) = λr (∞) ≡ 0

(mod p4r ).

Since p
n, we have λr (P ) ≡ 0 (mod p4r ), so P ∈ E5r . Since 5r > r, this contradicts the choice of r. Therefore, P does not exist. The following theorem was proved independently by Lutz and Nagell in the 1930s. Quite often it allows a quick determination of the torsion points on an elliptic curve over Q. See Section 9.6 for another method. THEOREM 8.7 (Lutz-Nagell) Let E be given by y 2 = x3 + Ax + B with A, B ∈ Z. Let P = (x, y) ∈ E(Q). Suppose P has finite order. Then x, y ∈ Z. If y
= 0 then y 2 |4A3 + 27B 2 . PROOF Suppose x or y is not in Z. Then there is some prime p dividing the denominator of one of them. By part (2) of Theorem 8.1, P ∈ Er for some r ≥ 1. Let  be a prime dividing the order n of P . Then Q = (n/)P has order . By Corollary 8.6,  = p. Choose j such that Q ∈ Ej , Q
∈ Ej+1 . Then λj (Q)
≡ 0 (mod p), and pλj (Q) = λj (pQ) ≡ 0 (mod p4j ). Therefore,

λj (Q) ≡ 0 (mod p4j−1 ).

This contradicts the fact that λj (Q)
≡ 0 (mod p). It follows that x, y ∈ Z. Assume y
= 0. Then 2P = (x2 , y2 )
= ∞. Since 2P has finite order, x2 , y2 ∈ Z. By Theorem 3.6, x2 =

x4 − 2Ax2 − 8Bx + A2 . 4y 2

Since x2 ∈ Z, this implies that y 2 |x4 − 2Ax2 − 8Bx + A2 . A straightforward calculation shows that (3x2 + 4A)(x4 − 2Ax2 − 8Bx + A2 ) − (3x3 − 5Ax − 27B)(x3 + Ax + B) = 4A3 + 27B 2 .

206

CHAPTER 8 ELLIPTIC CURVES OVER Q

Since y 2 = x3 + Ax + B, we see that y 2 divides both terms on the left. Therefore, y 2 |4A3 + 27B 2 . COROLLARY 8.8 Let E be an elliptic curve over Q. Then the torsion subgroup of E(Q) is finite. PROOF A suitable change of variables puts the equation for E into Weierstrass form with integer coefficients. Theorem 8.7 now shows that there are only finitely many possibilities for the torsion points. Example 8.1 Let E be given by y 2 = x3 + 4. Then 4A3 + 27B 2 = 432. Let P = (x, y) be a point of finite order in E(Q). Since 0 = x3 + 4 has no rational solutions, we have y
= 0. Therefore, y 2 |432, so y = ±1, ±2, ±3, ±4, ±6, ±12. Only y = ±2 yields a rational value of x, so the only possible torsion points are (0, 2) and (0, −2). A quick calculation shows that 3(0, ±2) = ∞. Therefore, the torsion subgroup of E(Q) is cyclic of order 3. Example 8.2 Let E be given by y 2 = x3 + 8. Then 4A3 + 27B 2 = 1728. If y = 0, then x = −2. The point (−2, 0) has order 2. If y
= 0, then y 2 |1728, which means that y|24. Trying the various possibilities, we find the points (1, ±3) and (2, ±4). However, 2(1, 3) = (−7/4, −13/8) and 2(2, 4) = (−7/4, 13/8). Since these points do not have integer coordinates, they cannot have finite order. Therefore, (1, 3) and (2, 4) cannot have finite order. It follows that the torsion subgroup of E(Q) is {∞, (−2, 0)}. (Remark: The fact that 2(1, 3) = −2(2, 4) leads us to suspect, and easily verify, that (1, 3) + (2, 4) = (−2, 0).)

Suppose we use the Lutz-Nagell theorem and obtain a possible torsion point P . How do we decide whether or not it’s a torsion point? In the previous example, we multiplied P by an integer and obtained a nontorsion point. Therefore, P was not a torsion point. In general, the Lutz-Nagell theorem explicitly gives a finite list of possibilities for torsion points. If P is a torsion point, then, for every n, the point nP must either be ∞ or be on that list. Since there are only finitely many points on the list, either we’ll have nP = mP for some m
= n, in which case P is torsion and (n − m)P = ∞, or some

SECTION 8.1 THE TORSION SUBGROUP. THE LUTZ-NAGELL THEOREM

207

multiple nP is not on the list and P is not torsion. Alternatively, we can use Mazur’s theorem (Theorem 8.11 below), which says that the order of a torsion point in E(Q) is at most 12. Therefore, if nP
= ∞ for all n ≤ 12, then P is not torsion. Consequently, it is usually not hard to check each possibility in the Lutz-Nagell theorem and see which ones yield torsion points. However, sometimes the discriminant is hard to factor, and sometimes it contains many factors. In this case, another algorithm can be used. See Section 9.6. Another technique that helps us determine the torsion subgroup involves reduction mod primes. The main result needed is the following. THEOREM 8.9 Let E be an elliptic curve given by y 2 = x3 + Ax + B with A, B ∈ Z. Let p be an odd prime and assume p
4A3 + 27B 2 . Let ρp : E(Q) → E(Fp ) be the reduction mod p map. If P ∈ E(Q) has finite order and ρp (P ) = ∞, then P = ∞. REMARK 8.10 In general, reduction mod a prime ideal containing p is injective on the prime-to-p torsion in E(Q). This is similar to the situation in algebraic number theory, where reduction mod a prime ideal containing p is injective on roots of unity of order prime to p (see [129]). PROOF By Theorem 8.7, all of the torsion points (other than ∞) have integral coordinates, so they reduce to well-defined finite points mod p. In particular, ∞ is the only point that reduces to ∞. Example 8.3 Let’s use Theorem 8.9 to find the torsion on y 2 = x3 + 8. We have 4A3 + 27B 2 = 1728 = 26 · 33 , so we cannot use the primes 2, 3. The reduction mod 5 has 6 points, so Theorem 8.9 implies that the torsion in E(Q) has order dividing 6. The reduction mod 7 has 12 points, so the torsion has order dividing 12, which gives no new information. The reduction mod 11 has 12 points, so we again get no new information. However, the reduction mod 13 has 16 points, so the torsion in E(Q) has order dividing 16. It follows that the torsion group has order dividing 2. Since (−2, 0) is a point of order 2, the torsion has order exactly 2. This is of course the same result that we obtained earlier using the Lutz-Nagell theorem. Example 8.4 In the preceding example, the Lutz-Nagell theorem was perhaps at least as fast as Theorem 8.9 in determining the order of the torsion subgroup. This is

208

CHAPTER 8 ELLIPTIC CURVES OVER Q

not always the case. Let E be given by y 2 = x3 + 18x + 72. Then 4A3 + 27B 2 = 163296 = 25 · 36 · 7. The Lutz-Nagell theorem would require us to check all y with y 2 |163296, which amounts to checking all y|108 = 22 · 33 . Instead, the reduction mod 5 has 5 points and the reduction mod 11 has 8 points. It follows that the torsion subgroup of E(Q) is trivial. Finally, we mention a deep result of Mazur, which we will not prove (see [77]). THEOREM 8.11 Let E be an elliptic curve defined over Q. Then the torsion subgroup of E(Q) is one of the following: Zn with 1 ≤ n ≤ 10 or n = 12, Z2 ⊕ Z2n with 1 ≤ n ≤ 4. REMARK 8.12 For each of the groups in the theorem, there are infinitely many elliptic curves E (with distinct j-invariants) having that group as the torsion subgroup of E(Q). See Exercise 8.1 for examples of each possibility.

8.2 Descent and the Weak Mordell-Weil Theorem We start with an example that has its origins in the work of Fermat (see Section 8.6). Example 8.5 Let’s look at rational points on the curve E given by y 2 = x(x − 2)(x + 2). If y = 0, we have x = 0, ±2. Therefore, assume y
= 0. Since the product of x, x − 2, and x + 2 is a square, intuition suggests that each of these factors should, in some sense, be close to being a square. Write x = au2 x − 2 = bv 2 x + 2 = cw2

SECTION 8.2 DESCENT AND THE WEAK MORDELL-WEIL THEOREM

209

with rational numbers a, b, c, u, v, w. Then y 2 = abc(uvw)2 , so abc is a square. By adjusting u, v, w, we may assume that a, b, c are squarefree integers. In fact, we claim that a, b, c ∈ {±1, ±2}. Suppose that p is an odd prime dividing a. Since a is squarefree, p2
a, so the exact power pk dividing x = au2 has k odd. If k < 0, then pk is the exact power of p in the denominator of x ± 2, so p3k is the power of p in the denominator of y 2 = x(x − 2)(x + 2). Since 3k is odd and y 2 is a square, this is impossible. If k > 0 then x ≡ 0 (mod p), so x ± 2
≡ 0 (mod p). Therefore, pk is the power of p dividing y 2 . Since k is odd, this is impossible. Therefore, p
a. Similarly, no odd prime divides b or c. Therefore, each of a, b, c is, up to sign, a power of 2. Since they are squarefree, this proves the claim. The procedure we are following is called descent, or, more precisely, a 2-descent. Suppose x is a rational number with at most N digits in its numerator and denominator. Then u, v, w should have at most N/2 digits (approximately) in their numerators and denominators. Therefore, if we are searching for points (x, y), we can instead search for smaller numbers u, v, w. This method was developed by Fermat. See Section 8.6. We have four choices for a and four choices for b. Since a and b together determine c (because abc is a square), there are 16 possible combinations for a, b, c. We can eliminate some of them quickly. Since x(x−1)(x+2) = y 2 > 0, we have cw2 = x + 2 > 0, so c > 0. Since abc > 0, it follows that a and b must have the same sign. We are now down to 8 possible combinations. Let’s consider (a, b, c) = (1, 2, 2). We have x = u2 ,

x − 2 = 2v 2 ,

x + 2 = 2w2

with rational numbers u, v, w. Therefore, u2 − 2v 2 = 2,

u2 − 2w2 = −2.

If v has 2 in its denominator, then 2v 2 has an odd power of 2 in its denominator. But u2 has an even power of 2 in its denominator, so u2 − 2v 2 cannot be an integer. This contradiction shows that v and u have odd denominators. Therefore, we may consider u, v mod powers of 2. Since 2|u2 , we have 2|u, hence 4|u2 . Therefore, −2v 2 ≡ 2 (mod 4), which implies that 2
v. Similarly, −2w2 ≡ −2 (mod 4), so 2
w. It follows that v 2 ≡ w2 ≡ 1 (mod 8), so 2 ≡ u2 − 2v 2 ≡ u2 − 2 ≡ u2 − 2w2 ≡ −2

(mod 8),

which is a contradiction. It follows that (a, b, c) = (1, 2, 2) is impossible. Similar considerations eliminate the combinations (−1, −1, 1), (2, 1, 2), and

210

CHAPTER 8 ELLIPTIC CURVES OVER Q

(−2, −2, 1) for (a, b, c) (later, we’ll see a faster way to eliminate them). Only the combinations (a, b, c) = (1, 1, 1), (−1, −2, 2), (2, 2, 1), (−2, −1, 2) remain. As we’ll see below, these four combinations correspond to the four points that we already know about, namely, ∞, (0, 0), (2, 0), (−2, 0) (this requires some explanation, which will be given later). As we’ll see later, the fact that we eliminated all combinations except those coming from known points implies that we have found all points, except possibly points of odd order, on the curve. The Lutz-Nagell theorem, or reduction mod 5 and 7 (see Theorem 8.9), shows that there are no nontrivial points of odd order. Therefore, we have found all rational points on E: E(Q) = {∞, (0, 0), (2, 0), (−2, 0)}.

The calculations of the example generalize to elliptic curves E of the form y 2 = (x − e1 )(x − e2 )(x − e3 ) with e1 , e2 , e3 ∈ Z and ei
= ej when i
= j. In fact, they extend to even more general situations. If ei ∈ Q but ei
∈ Z, then a change of variables transforms the equation to one with ei ∈ Z, so this situation gives nothing new. However, if ei
∈ Q, the method still applies. In order to keep the discussion elementary, we’ll not consider this case, though we’ll say a few things about it later. Assuming that x, y ∈ Q, write x − e1 = au2 x − e2 = bv 2 x − e3 = cw2 with rational numbers a, b, c, u, v, w. Then y 2 = abc(uvw)2 , so abc is a square. By adjusting u, v, w, we may assume that a, b, c are squarefree integers. PROPOSITION 8.13 Let S = {p | p is prime and p|(e1 − e2 )(e1 − e3 )(e2 − e3 )}. If p is a prime and p|abc, then p ∈ S.

SECTION 8.2 DESCENT AND THE WEAK MORDELL-WEIL THEOREM

211

PROOF Suppose p|a. Then pk , with k odd, is the exact power of p dividing x − e1 . If k < 0, then pk is the power of p in the denominator of x − e2 and x − e3 . Therefore, p3k is the power of p in the denominator of y 2 , which is impossible. Therefore k > 0. This means that x ≡ e1 (mod p). Also, x has no p in its denominator, so the same is true of bv 2 = x − e2 and cw2 = x − e3 . Moreover, bv 2 ≡ e1 − e2 and cw2 ≡ e1 − e3 (mod p). If p
∈ S, then the power of p in y 2 = (au2 )(bv 2 )(cw2 ) is pk p0 p0 = pk . Since k is odd, this is impossible. Therefore, p ∈ S. Since S is a finite set, there are only finitely many combinations (a, b, c) that are possible. The following theorem shows that the set of combinations that actually come from points (x, y) has a group structure modulo squares. 2 Let Q× /Q× denote the group of rational numbers modulo squares. This means that we regard two nonzero rational numbers x1 , x2 as equivalent if the 2 ratio x1 /x2 is the square of a rational number. Every element of Q× /Q× can be represented by ±1 times a (possibly empty) product of distinct primes. Note that if x − e1 = au2 , then x − e1 is equivalent to a mod squares. Therefore, the map φ in the following theorem maps a point (x, y)
∈ E[2] to the corresponding triple (a, b, c). THEOREM 8.14 Let E be given by y 2 = (x − e1 )(x − e2 )(x − e3 ) with e1 , e2 , e3 ∈ Z. The map 2

2

2

φ : E(Q) → (Q× /Q× ) ⊕ (Q× /Q× ) ⊕ (Q× /Q× ) defined by (x, y) → (x − e1 , x − e2 , x − e3 ) when y
= 0 ∞ → (1, 1, 1) (e1 , 0) → ((e1 − e2 )(e1 − e3 ), e1 − e2 , e1 − e3 ) (e2 , 0) →  (e2 − e1 , (e3 , 0) →  (e3 − e1 ,

(e2 − e1 )(e2 − e3 ), e2 − e3 ) e3 − e2 , (e3 − e1 )(e3 − e2 ))

is a homomorphism. The kernel of φ is 2E(Q). PROOF First, we show that φ is a homomorphism. Suppose Pi = (xi , yi ), i = 1, 2, 3, are points lying on the line y = ax + b. Assume for the moment that yi
= 0. The polynomial (x − e1 )(x − e2 )(x − e3 ) − (ax + b)2 has leading coefficient 1 and has roots x1 , x2 , x3 (with the correct multiplicities). Therefore, (x − e1 )(x − e2 )(x − e3 ) − (ax + b)2 = (x − x1 )(x − x2 )(x − x3 ).

212

CHAPTER 8 ELLIPTIC CURVES OVER Q

Evaluating at ei yields 2

(x1 − ei )(x2 − ei )(x3 − ei ) = (aei + b)2 ∈ Q× . Since this is true for each i, 2

2

φ(P1 )φ(P2 )φ(P3 ) = 1 ∈ Q× /Q× ⊕ Q× /Q× ⊕ Q× /Q×

2

(that is, the product is a square, hence is equivalent to 1 mod squares). Since any number z is congruent to its multiplicative inverse mod squares (that is, z equals 1/z times a square), φ(P3 )−1 = φ(P3 ) = φ(−P3 ). Therefore, φ(P1 )φ(P2 ) = φ(−P3 ) = φ(P1 + P2 ). To show that φ is a homomorphism, it remains to check what happens when one or both of P1 , P2 is a point of order 1 or 2. The case where a point Pi is of order 1 (that is, Pi = ∞) is trivial. If both P1 and P2 have order 2, a case by case check shows that φ(P1 + P2 ) = φ(P1 )φ(P2 ). Finally, suppose that P1 has order 2 and P2 has y2
= 0. Let’s assume P1 = (e1 , 0). The other possibilities are similar. Since the values of φ are triples, let φ1 , φ2 , φ3 denote the three components of φ (so φ = (φ1 , φ2 , φ3 )). The proof given above shows that φi (P1 )φi (P2 ) = φi (P1 + P2 ) for i = 2, 3. So it remains to consider φ1 . By inspection, φ1 (P )φ2 (P )φ3 (P ) = 1 for all P . Since φi (P1 )φi (P2 ) = φi (P1 + P2 ) for i = 2, 3, the relation holds for i = 1, too. Therefore, φ is a homomorphism. Putting everything together, we see that φ is a homomorphism. To prove the second half of the theorem, we need to show that if x − ei is a square for all i, then (x, y) = 2P for some point P ∈ E(Q). Let x − ei = vi2 ,

i = 1, 2, 3.

For simplicity, we’ll assume that e1 + e2 + e3 = 0, which means that the equation for our elliptic curve has the form y 2 = x3 +Ax+B. (If e1 +e2 +e3
= 0, the coefficient of x2 is nonzero. A simple change of variables yields the present case.) Let f (T ) = u0 + u1 T + u2 T 2 satisfy f (ei ) = vi ,

i = 1, 2, 3.

SECTION 8.2 DESCENT AND THE WEAK MORDELL-WEIL THEOREM

213

Such an f exists since there is a unique quadratic polynomial whose graph passes through any three points that have distinct x-coordinates. In fact 1 (T − e2 )(T − e3 ) (e1 − e2 )(e1 − e3 ) 1 (T − e1 )(T − e3 ) + v2 (e2 − e1 )(e2 − e3 ) 1 + v3 (T − e1 )(T − e2 ). (e3 − e1 )(e3 − e2 )

f (T ) = v1

Let g(T ) = x − T − f (T )2 . Then g(ei ) = 0 for all i, so T 3 + AT + B = (T − e1 )(T − e2 )(T − e3 ) divides g(T ). Therefore, g(T ) ≡ 0 (mod T 3 + AT + B), so x − T ≡ (u0 + u1 T + u2 T 2 )2

(mod T 3 + AT + B).

(We say that two polynomials P1 , P2 are congruent mod P3 if P1 − P2 is a multiple of P3 .) This congruence for x − T can be thought of as a way of simultaneously capturing the information that x − ei is a square for all i. Mod T 3 + AT + B, we have T 3 ≡ −AT − B,

T 4 ≡ T · T 3 ≡ −AT 2 − BT.

Therefore, x − T ≡ (u0 + u1 T + u2 T 2 )2 ≡ u20 + 2u0 u1 T + (u21 + 2u0 u2 )T 2 + 2u1 u2 T 3 + u22 T 4 ≡ (u20 − 2Bu1 u2 ) + (2u0 u1 − 2Au1 u2 − Bu22 )T +(u21 + 2u0 u2 − Au22 )T 2 .

If two polynomials P1 and P2 of degree at most two are congruent mod a polynomial of degree three, then their difference P1 − P2 is a polynomial of degree at most two that is divisible by a polynomial of degree three. This can only happen if P1 = P2 . In our case, this means that x = u20 − 2Bu1 u2 −1 = 2u0 u1 − 2Au1 u2 − 0 = u21 + 2u0 u2 − Au22 .

(8.1) Bu22

(8.2) (8.3)

If u2 = 0 then (8.3) implies that also u1 = 0. Then f (T ) is constant, so v1 = v2 = v3 . This means that e1 = e2 = e3 , contradiction. Therefore, u2
= 0. Multiply (8.3) by u1 /u32 and multiply (8.2) by 1/u22 , then subtract to obtain

2
3 u1 u1 1 = +A + B. u2 u2 u2

214

CHAPTER 8 ELLIPTIC CURVES OVER Q

Let x1 =

u1 , u2

y1 =

1 , u2

so (x1 , y1 ) ∈ E(Q). We claim that 2(x1 , y1 ) = ±(x, y). Equation 8.3 implies that u0 =

Au22 − u21 A − x21 = . 2u2 2y1

Substituting this into (8.1) yields x=

x41 − 2Ax21 − 8Bx1 + A2 . 4y12

This is the x-coordinate of 2(x1 , y1 ) (see Theorem 3.6). The y-coordinate is determined up to sign by the x-coordinate, so 2(x1 , y1 ) = (x, ±y) = ±(x, y). It follows that (x, y) = 2(x1 , y1 ) or 2(x1 , −y1 ). In particular, (x, y) ∈ 2E(Q).

Example 8.6 We continue with Example 8.5. For the curve y 2 = x(x − 2)(x + 2), we have φ(∞) = (1, 1, 1),

φ(0, 0) = (−1, −2, 2),

φ(2, 0) = (2, 2, 1),

φ(−2, 0) = (−2, −1, 2)

(we used the fact that 4 and 1 are equivalent mod squares to replace 4 by 1). We eliminated the triple (a, b, c) = (1, 2, 2) by working mod powers of 2. We now show how to eliminate (−1, −1, 1), (2, 1, 2), (−2, −2, 1). Suppose there is a point P with φ(P ) = (−1, −1, 1). Then φ(P + (0, 0)) = φ(P )φ(0, 0) = (−1, −1, 1)(−1, −2, 2) = (1, 2, 2). But we showed that (1, 2, 2) does not come from a point in E(Q). Therefore, P does not exist. The two other triples are eliminated similarly. Theorem 8.14 has a very important corollary. THEOREM 8.15 (Weak Mordell-Weil Theorem) Let E be an elliptic curve defined over Q. Then E(Q)/2E(Q) is finite. PROOF We give the proof in the case that e1 , e2 , e3 ∈ Q. As remarked earlier, we may assume that e1 , e2 , e3 ∈ Z. The map φ in Theorem 8.14 gives

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

215

an injection 2

2

2

E(Q)/2E(Q) → (Q× /Q× ) ⊕ (Q× /Q× ) ⊕ (Q× /Q× ). Proposition 8.13 says that if (a, b, c) (where a, b, c are chosen to be squarefree integers) is in the image of φ, then a, b, c are products of primes in the set S of Proposition 8.13. Since S is finite, there are only finitely many such a, b, c mod squares. Therefore, the image of φ is finite. This proves the theorem.

REMARK 8.16 (for those who know some algebraic number theory) Let K/Q be a finite extension. The theorem can be extended to say that if E is an elliptic curve over K then E(K)/2E(K) is finite. If we assume that x3 + Ax + B = (x − e1 )(x − e2 )(x − e3 ) with all ei ∈ K, then the proof is the same except that the image of φ is contained in 2

2

2

(K × /K × ) ⊕ (K × /K × ) ⊕ (K × /K × ). Let OK be the ring of algebraic integers of K. To make things simpler, we invert some elements in order to obtain a unique factorization domain. Take a nonzero element from an integral ideal in each ideal class of OK and let M be the multiplicative subset generated by these elements. Then M −1 OK is a principal ideal domain, hence a unique factorization domain. The analogue of Proposition 8.13 says that the primes of M −1 OK dividing a, b, c also divide (e1 − e2 )(e1 − e3 )(e2 − e3 ). Let S ⊂ M −1 OK be the set of prime divisors of (e1 − e2 )(e1 − e3 )(e2 − e3 ). Then the image of φ is contained in the group generated by S and the units of M −1 OK . Since the class number of K is finite, M is finitely generated. A generalization of the Dirichlet unit theorem (often called the S-unit theorem) says that the units of M −1 OK are a finitely generated group. Therefore, the image of φ is a finitely generated abelian group of exponent 2, hence is finite. This proves that E(K)/2E(K) is finite.

8.3 Heights and the Mordell-Weil Theorem The purpose of this section is to change the weak Mordell-Weil theorem into the Mordell-Weil theorem. This result was proved by Mordell in 1922 for elliptic curves defined over Q. It was greatly generalized in 1928 by Weil in his thesis, where he proved the result not only for elliptic curves over number fields (that is, finite extensions of Q) but also for abelian varieties (higherdimensional analogues of elliptic curves).

216

CHAPTER 8 ELLIPTIC CURVES OVER Q

THEOREM 8.17 (Mordell-Weil) Let E be an elliptic curve defined over Q. Then E(Q) is a finitely generated abelian group. The theorem says that there is a finite set of points on E from which all other points can be obtained by repeatedly drawing tangent lines and lines through points, as in the definition of the group law. The proof will be given below. Since we proved the weak Mordell-Weil theorem only in the case that E[2] ⊆ E(Q), we obtain the theorem only for this case. However, the weak Mordell-Weil theorem is true in general, and the proof of the passage from the weak result to the strong result holds in general. From the weak Mordell-Weil theorem, we know that E(Q)/2E(Q) is finite. This alone is not enough to deduce the stronger result. For example, R/2R = 0, hence is finite, even though R is not finitely generated. In our case, suppose we have points R1 , . . . , Rn representing the finitely many cosets in E(Q)/2E(Q). Let P ∈ E(Q) be an arbitrary point. We can write P = Ri + 2P1 for some i and some point P1 . Then we write P1 = Rj + 2P2 , etc. If we can prove the process stops, then we can put things back together and obtain the theorem. The theory of heights will show that the points P1 , P2 , . . . are getting smaller, in some sense, so the process will eventually yield a point Pk that lies in some finite set of small points. These points, along with the Ri , yield the generators of E(Q). We make these ideas more precise after Theorem 8.18 below. Note that sometimes the points Ri by themselves do not suffice to generate E(Q). See Exercise 8.7. Let a/b be a rational number, where a, b are integers with gcd(a, b) = 1. Define H(a/b) = Max(|a|, |b|) and h(a/b) = log H(a/b). The function h is called the (logarithmic) height function. It is closely related to the number of digits required to write the rational number a/b. Note that, given a constant c, there are only finitely many rational numbers x with h(x) ≤ c. Now let E be an elliptic curve over Q and let (x, y) ∈ E(Q). Define h(x, y) = h(x),

h(∞) = 0,

H(x, y) = H(x),

H(∞) = 1.

It might seem strange using only the x-coordinate. Instead, we could use the y-coordinate. Since the square of the denominator of the y-coordinate is

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

217

the cube of the denominator of the x-coordinate (when the coefficients A, B of E are integers), it can be shown that this would change the function h approximately by a factor of 3/2. This would cause no substantial change in ˆ which will be introduced shortly, the theory. In fact, the canonical height h, 1 is defined using a limit of values of 2 h. It could also be defined as a limit of values of 1/3 of the height of the y-coordinate. These yield the same canonical height function. See [109, Lemma 6.3]. The numbers 2 and 3 are the orders of the poles of the functions x and y on E (see Section 11.1). ˆ that has slightly better It is convenient to replace h with a function h ˆ properties. The function h is called the canonical height. THEOREM 8.18 Let E be an elliptic curve defined over Q. There is a function ˆ : E(Q) → R≥0 h with the following properties: ˆ ) ≥ 0 for all P ∈ E(Q). 1. h(P ˆ )| ≤ c0 for all P . 2. There is a constant c0 such that | 12 h(P ) − h(P 3. Given a constant c, there are only finitely many points P ∈ E(Q) with ˆ ) ≤ c. h(P ˆ ) for all integers m and all P . ˆ 4. h(mP ) = m2 h(P ˆ + Q) + h(P ˆ − Q) = 2h(P ˆ ) + 2h(Q) ˆ 5. h(P for all P, Q. ˆ ) = 0 if and only if P is a torsion point. 6. h(P Property (5) is often called the parallelogram law because if the origin 0 and vectors P, Q, P + Q (ordinary vector addition) are the vertices of a parallelogram, then the sum of the squares of the lengths of the diagonals equals the sum of the squares of the lengths of the four sides: ||P + Q||2 + ||P − Q||2 = 2||P ||2 + 2||Q||2 . The proof of Theorem 8.18 will occupy most of the rest of this section. First, let’s use the theorem to deduce the Mordell-Weil theorem. Proof of the Mordell-Weil theorem: Let R1 , . . . , Rn be representatives for E(Q)/2E(Q). Let ˆ i )} c = Maxi {h(R ˆ i ) ≤ c. This is a finite set by and let Q1 , . . . , Qm be the set of points with h(Q Theorem 8.18. Let G be the subgroup of E(Q) generated by R1 , . . . , Rn , Q1 , . . . , Qm .

218

CHAPTER 8 ELLIPTIC CURVES OVER Q

We claim that G = E(Q). Suppose not. Let P ∈ E(Q) be an element not in G. Since, for a point P , there are only finitely many points of height less than P , we may change P to one of these, if necessary, and assume P has the smallest height among points not in G. We may write P − Ri = 2P1 for some i and some P1 . By Theorem 8.18, ˆ ˆ ˆ 1 ) = h(2P 4h(P 1 ) = h(P − Ri ) ˆ ) + 2h(R ˆ i ) − h(P ˆ + Ri ) = 2h(P ˆ ) + 2c + 0 ≤ 2h(P ˆ ) + 2h(P ˆ ) = 4h(P ˆ ) < 2h(P ˆ ), because P
= Qj ). Therefore, (since c < h(P ˆ ). ˆ 1 ) < h(P h(P Since P had the smallest height for points not in G, we must have P1 ∈ G. Therefore, P = Ri + 2P1 ∈ G. This contradiction proves that E(Q) = G. This completes the proof of the Mordell-Weil theorem. It remains to prove Theorem 8.18. The key step is the following. PROPOSITION 8.19 There exists a constant c1 such that |h(P + Q) + h(P − Q) − 2h(P ) − 2h(Q)| ≤ c1 for all P, Q ∈ E(Q). The proof is rather technical, so we postpone it in order to complete the proof of Theorem 8.18. Proof of Theorem 8.18: Proof of parts (1) and (2): Letting Q = P in Proposition 8.19, we obtain |h(2P ) − 4h(P )| ≤ c1

(8.4)

for all P . Define

ˆ ) = 1 lim 1 h(2n P ). h(P 2 n→∞ 4n We need to prove the limit exists. We have ∞  1 1 n lim h(2 P ) = h(P ) + (h(2j P ) − 4h(2j−1 P )). j n→∞ 4n 4 j=1

(8.5)

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

219

By (8.4),

   1  (h(2j P ) − 4h(2j−1 P )) ≤ c1 ,  4j  4j ˆ ) exists. Since so the infinite sum converges. Therefore, h(P ∞  c1 c1 = , j 4 3 j=1

ˆ )− 1 h(P )| ≤ c1 /6. It is clear from the definitions that h(P ˆ )≥0 we obtain |h(P 2 for all P . ˆ ) ≤ c, then h(P ) ≤ 2c + c1 . There are only finitely Proof of part (3): If h(P 3 many P satisfying this inequality. Proof of part (5): We have c1 1 |h(2n P + 2n Q) + h(2n P − 2n Q) − 2h(2n P ) − 2h(2n Q)| ≤ n . 4n 4 Letting n → ∞ yields the result. Proof of part (4): Since the height depends only on the x-coordinate, ˆ ˆ ). Therefore, we may assume m ≥ 0. The cases m = 0, 1 h(−P ) = h(P are trivial. Letting Q = P in part (5) yields the case m = 2. Assume that we know the result for m − 1 and m. Then ˆ ˆ ˆ ˆ ) (by part (5)) h((m + 1)P ) = −h((m − 1)P ) + 2h(mP ) + 2h(P   ˆ ) = −(m − 1)2 + 2m2 + 2 h(P ˆ ). = (m + 1)2 h(P By induction, the result is true for all m. ˆ ) = h(mP ˆ ˆ Proof of part (6): If mP = ∞, then m2 h(P ) = h(∞) = 0, so 2ˆ ˆ ˆ ˆ h(P ) = 0. Conversely, if h(P ) = 0, then h(mP ) = m h(P ) = 0 for all m. Since there are only finitely many points of height 0, the set of multiples of P is finite. Therefore, P is a torsion point. This completes the proof of Theorem 8.18. Proof of Proposition 8.19. It remains to prove Proposition 8.19. It can be restated as saying that there exist constants c
, c

such that 2h(P ) + 2h(Q) − c
≤ h(P + Q) + h(P − Q) h(P + Q) + h(P − Q) ≤ 2h(P ) + 2h(Q) + c



(8.6) (8.7)

for all P, Q. These two inequalities will be proved separately. We’ll start with the second one. Let the elliptic curve E be given by y 2 = x3 + Ax + B with A, B ∈ Z. Let a1 a2 P = ( , y1 ), Q = ( , y2 ), b1 b2 a4 a3 P − Q = ( , y4 ) P + Q = ( , y3 ), b3 b4

220

CHAPTER 8 ELLIPTIC CURVES OVER Q

be points on E, where yi ∈ Q and ai , bi are integers with gcd(ai , bi ) = 1. Let g1 = 2(a1 b2 + a2 b1 )(Ab1 b2 + a1 a2 ) + 4Bb21 b22 g2 = (a1 a2 − Ab1 b2 )2 − 4B(a1 b2 + a2 b1 )b1 b2 g3 = (a1 b2 − a2 b1 )2 . Then a short calculation shows that a3 a4 g1 + = , b3 b4 g3

a3 a4 g2 = . b3 b4 g3

LEMMA 8.20 Let c1 , c2 , d1 , d2 ∈ Z. Then Max(|c1 |, |d1 |) · Max(|c2 |, |d2 |) ≤ 2Max(|c1 c2 |, |c1 d2 + c2 d1 |, |d1 d2 |). PROOF Without loss of generality, we may assume that |c1 | ≤ |d1 | (otherwise, switch c1 , d1 ). Let L denote the left side of the inequality of the lemma and let R denote the right side. There are three cases to consider. 1. If |c2 | ≤ |d2 |, then L = |d1 d2 | and 2|d1 d2 | ≤ R, so L ≤ R. 2. If |c2 | ≥ |d2 | ≥ (1/2)|c2 |, then L = |d1 c2 | and R ≥ 2|d1 d2 | ≥ |d1 c2 | ≥ L. 3. If |d2 | ≤ (1/2)|c2 |, then L = |d1 c2 | and R ≥ 2|c1 d2 + c2 d1 | ≥ 2(|c2 d1 | − |c1 d2 |) ≥ 2(|c2 d1 | − |d1 |(1/2)|c2 |) = |c2 d1 | = L. This completes the proof of the lemma. LEMMA 8.21 Let c1 , c2 , d1 , d2 ∈ Z with gcd(ci , di ) = 1 for i = 1, 2. Then gcd(c1 c2 , c1 d2 + c2 d1 , d1 d2 ) = 1. PROOF Let d = gcd(c1 d2 + c2 d1 , d1 d2 ). Suppose p is a prime such that p|c1 and p|d. Then p
d1 since gcd(c1 , d1 ) = 1. Since p|d1 d2 , we have p|d2 . Therefore, p
c2 . Therefore, p|c1 d2 and p
c2 d1 , so p
c1 d2 + c2 d1 . Therefore p
d, contradiction. Similarly, there is no prime dividing both c2 and d. It

SECTION 8.3 HEIGHTS AND THE MORDELL-WEIL THEOREM

221

follows that there is no prime dividing c1 c2 and d, so the gcd in the lemma is 1. We can apply the lemmas to a3 , a4 , b3 , b4 . gcd(a4 , b4 ) = 1, we have

Since gcd(a3 , b3 ) = 1 and

gcd(a3 a4 , a3 b4 + a4 b3 , b3 b4 ) = 1. Therefore, there exist integers x, y, z such that a3 a4 x + (a3 b4 + a4 b3 )y + b3 b4 z = 1. Since g3 (a3 b4 + a4 b3 ) = g1 (b3 b4 ) and g3 (a3 a4 ) = g2 (b3 b4 ), we have g3 = g3 (a3 a4 )x + g3 (a3 b4 + a4 b3 )y + g3 (b3 b4 )z = g2 (b3 b4 )x + g1 (b3 b4 )y + g3 (b3 b4 )z. Therefore, b3 b4 |g3 , so

|b3 b4 | ≤ |g3 |.

Similarly, |a3 a4 | ≤ |g2 |. Equation 8.8 and the fact that |b3 b4 | ≤ |g3 | imply that |a3 b4 + a4 b3 | ≤ |g1 |. In terms of the nonlogarithmic height H, these inequalities say that H(P + Q) · H(P − Q) = Max(|a3 |, |b3 |) · Max(|a4 |, |b4 |) ≤ 2Max(|a3 a4 |, |a3 b4 + a4 b3 |, |b3 b4 |) ≤ 2Max(|g2 |, |g1 |, |g3 |). Let H1 = Max(|a1 |, |b1 |) and H2 = Max(|a2 |, |b2 |). Then |g1 | = |2(a1 b2 + a2 b1 )(Ab1 b2 + a1 a2 ) + 4Bb21 b22 |

≤ 2(H1 H2 + H2 H1 )(|A|H1 H2 + H1 H2 ) + 4|B|H12 H22 ≤ 4(|A| + 1 + |B|)H12 H22 .

Similarly, |g2 | ≤ ((1 + |A|)2 + 8|B|)H12 H22 ,

|g3 | ≤ 4H12 H22 .

Therefore, H(P + Q) · H(P − Q) ≤ CH12 H22 = CH(P )2 H(Q)2

(8.8)

222

CHAPTER 8 ELLIPTIC CURVES OVER Q

for some constant C. Taking logs yields h(P + Q) + h(P − Q) ≤ 2h(P ) + 2h(Q) + c



(8.9)

for some constant c

. We now need to prove the inequality in (8.6). First we’ll prove an inequality between h(R) and h(2R) for points R. LEMMA 8.22 Let R ∈ E(Q). There exists a constant C2 , independent of R, such that 4h(R) ≤ h(2R) + C2 . PROOF

Let

a R = ( , y) b with y ∈ Q and a, b ∈ Z with gcd(a, b) = 1. Let h1 = a4 − 2Aa2 b2 − 8Bab3 + A2 b4 h2 = (4b)(a3 + Aab2 + Bb3 ) ∆ = 4A3 + 27B 2 .

By Lemma 3.8, there exist homogeneous polynomials r1 , r2 , s1 , s2 ∈ Z[a, b] of degree 3 (the coefficients depend on A, B) such that 4∆b7 = r1 h1 + r2 h2 4∆a7 = s1 h1 + s2 h2 . For a homogeneous polynomial p(x, y) = c0 x3 + c1 x2 y + c2 xy 2 + c3 y 3 , we have

|p(a, b)| ≤ (|c0 | + |c1 | + |c2 | + |c3 |)Max(|a|, |b|)3 .

Suppose |b| ≥ |a|. It follows that |4∆||b|7 ≤ |r1 (a, b)||h1 | + |r2 (a, b)||h2 | ≤ C1 |b|3 Max(|h1 |, |h2 |), for some constant C1 independent of R. Therefore, |4∆||b|4 ≤ C1 Max(|h1 |, |h2 |). Let d = gcd(h1 , h2 ). Then (8.10) and (8.11) imply that d | 4∆b7 and d | 4∆a7 .

(8.10) (8.11)

SECTION 8.4 EXAMPLES

223

Since gcd(a, b) = 1, we have d|4∆, so d ≤ |4∆|. Since
 |h1 | |h2 | , H(2R) = Max , d d we have |4∆|H(R)4 = |4∆||b|4 ≤ C1 Max(|h1 |, |h2 |) |h1 | |h2 | , ) ≤ C1 |4∆| Max( d d ≤ C1 |4∆|H(2R). Dividing by |4∆| and taking logs yields 4h(R) ≤ h(2R) + C2 for some constant C2 , independent of R. The case where |a| ≥ |b| is similar. This completes the proof of Lemma 8.22. Changing P to P + Q and Q to P − Q in (8.9) yields h(2P ) + h(2Q) ≤ 2h(P + Q) + 2h(P − Q) + c

. By Lemma 8.22, 4h(P ) + 4h(Q) − 2C2 ≤ h(2P ) + h(2Q). Therefore,

2h(P ) + 2h(Q) − c
≤ h(P + Q) + h(P − Q)

for some constant c
. This completes the proof of Proposition 8.19.

8.4 Examples The Mordell-Weil theorem says that if E is an elliptic curve defined over Q, then E(Q) is a finitely generated abelian group. The structure theorem for such groups (see Appendix B) says that E(Q) T ⊕ Zr , where T is a finite group (the torsion subgroup) and r ≥ 0 is an integer, called the rank of E(Q). In Section 8.1, we showed how to compute T .

224

CHAPTER 8 ELLIPTIC CURVES OVER Q

The integer r is harder to compute. In this section, we show how to use the methods of the previous sections to compute r in some cases. In Section 8.8, we’ll give an example that shows why the computation of r is sometimes difficult. Example 8.7 Let E be the curve

y 2 = x3 − 4x.

In Section 8.2, we showed that E(Q)/2E(Q) = {∞, (0, 0), (2, 0), (−2, 0)} (more precisely, the points on the right are representatives for the cosets on the left). Moreover, an easy calculation using the Lutz-Nagell theorem shows that the torsion subgroup of E(Q) is T = E[2]. From Theorem 8.15, we have E(Q) T ⊕ Zr , so E(Q)/2E(Q) (T /2T ) ⊕ Zr2 = T ⊕ Zr2 . Since E(Q)/2E(Q) has order 4, we must have r = 0. Therefore, E(Q) = E[2] = {∞, (0, 0), (2, 0), (−2, 0)}.

Example 8.8 Let E be the curve

y 2 = x3 − 25x.

This curve E appeared in Chapter 1, where we found the points (0, 0), (5, 0), (−5, 0), (−4, 6). We also calculated the point 2(−4, 6) = (

412 −62279 ). , 122 1728

Since 2(−4, 6) does not have integer coordinates, (−4, 6) cannot be a torsion point, by Theorem 8.7. In fact, a calculation using the Lutz-Nagell theorem shows that the torsion subgroup is T = {∞, (0, 0), (5, 0), (−5, 0)} Z2 ⊕ Z2 .

SECTION 8.4 EXAMPLES

225

We claim that E(Q) Z2 ⊕ Z2 ⊕ Z. We know that the rank r is at least 1, because there is a point (−4, 6) of infinite order. The problem is to show that the rank is exactly 1. Consider the map 2

2

2

φ : E(Q) → (Q× /Q× ) ⊕ (Q× /Q× ) ⊕ (Q× /Q× ) of Theorem 8.14 defined by (x, y) → (x, x − 5, x + 5) when y
= 0. Therefore, φ(−4, 6) = (−1, −1, 1), where we have used the fact that −4 and −9 are equivalent to −1 mod squares. Also, from Theorem 8.14, φ(∞) = (1, 1, 1) φ(0, 0) = (−1, −5, 5) φ(5, 0) = (5, 2, 10) φ(−5, 0) = (−5, −10, 2). Since φ is a homomorphism, we immediately find that φ(−4, 6) times any of these triples is in the image of φ, so (1, 5, 5), (−5, −2, 10), (5, 10, 2) correspond to points. If we write x = au2 x − 5 = bv 2 x + 5 = cw2 , we have φ(x, y) = (a, b, c). From Proposition 8.13, we may assume a, b, c ∈ {±1, ±2, ±5, ±10}. Also, abc is a square, so c is determined by a, b. Therefore, we’ll often ignore c and concentrate on the possibilities for a, b. There are 64 possible pairs a, b. So far, we have 8 pairs that correspond to points. Let’s record them in a list, which we’ll refer to as L in the following: L = {(1, 1), (1, 5), (−1, −1), (−1, −5), (5, 2), (5, 10), (−5, −2), (−5, −10)}.

226

CHAPTER 8 ELLIPTIC CURVES OVER Q

Our job is to eliminate the remaining 56 possibilities. Observe that x − 5 = bv 2 < x = au2 < x + 5 = cw2 . If a < 0, then b < 0. If a > 0 then c > 0, hence b > 0 since abc is a square. Therefore, a and b have the same sign. This leaves 32 possible pairs a, b. We now consider, and eliminate, three special pairs a, b. The fact that φ is a homomorphism will then suffice to eliminate all but the eight pairs corresponding to known points. (a,b)=(2,1). We have x = 2u2 x − 5 = v2 x + 5 = 2w2 . Therefore,

2u2 − v 2 = 5,

2w2 − 2u2 = 5.

If one of u or v has an even denominator, then so does the other. However, 2u2 has an odd power of 2 in its denominator, while v 2 has an even power of 2 in its denominator. Therefore, 2u2 − v 2 is not an integer, contradiction. It follows that u, v have odd denominators, so we may work with them mod powers of 2. Since v 2 ≡ −5 (mod 2), we must have v odd. Therefore, v 2 ≡ 1 (mod 8), so 2u2 ≡ 6 (mod 8). This implies that u2 ≡ 3 (mod 4), which is impossible. Therefore, the pair (a, b) = (2, 1) is eliminated. (a,b)=(5,1). We have x = 5u2 x − 5 = v2 x + 5 = 5w2 . Therefore,

5u2 − v 2 = 5,

5w2 − 5u2 = 5.

If the denominator of one of u or v is divisible by 5, then so is the other. But 5u2 then has an odd power of 5 in its denominator, while v 2 has an even power of 5 in its denominator. This is impossible, so the denominators of both u and v are not divisible by 5. Since w2 − u2 = 1, the same holds for w. Therefore, we can work with u, v, w mod 5. We have v ≡ 0 (mod 5), so we can write v = 5v1 . Then u2 − 5v12 = 1, so u2 ≡ 1 (mod 5). Therefore, w2 = 1 + u2 ≡ 2 (mod 5). This is impossible. Therefore, the pair (a, b) = (5, 1) is eliminated.

SECTION 8.4 EXAMPLES

227

(a,b)=(10, 1). We have x = 10u2 x − 5 = v2 x + 5 = 10w2 . Therefore, 10u2 − v 2 = 5,

10w2 − 10u2 = 5.

As before, the denominators of u, v, w are not divisible by 5. Write v = 5v1 . Then 2u2 − 5v12 = 1, so 2u2 ≡ 1 (mod 5). This is impossible, so the pair (a, b) = (10, 1) is eliminated. The pairs (a, 1) with a < 0 are eliminated since a, b must have the same sign. Therefore, (1, 1) = φ(∞) is the only pair of the form (a, 1) corresponding to a point. Let (a, b) be any pair. There is a point P with φ(P ) = (a
, b) on the list L for some a
. If there is a point Q with φ(Q) = (a, b), then φ(P − Q) = (a
, b)(a, b)−1 = (a

, 1) for some a

. We showed that (a

, 1) is not in the image of φ when a


= 1. Therefore, a

= 1, so a = a
and (a, b) = (a
, b) = φ(P ). Consequently, the only pairs in the image of φ are those on the list L. As stated above, the torsion subgroup of E(Q) is E[2], so E(Q)/2E(Q) Z2 ⊕ Z2 ⊕ Zr2 for some r. Since the image of φ has order 8 and the kernel of φ is 2E(Q), the order of E(Q)/2E(Q) is 8. Therefore, r = 1. This implies that E(Q) Z2 ⊕ Z2 ⊕ Z. Note that we have also proved that E[2] and (−4, 6) generate a subgroup of E(Q) of odd index. It can be shown that they actually generate the whole group. This would require making the constants in the proof of Theorem 8.17 more explicit, then finding all points with heights less than an explicit bound to obtain a generating set. Silverman [110] proved the following. THEOREM 8.23 Let E be defined over Q by the equation y 2 = x3 + Ax + B

228

CHAPTER 8 ELLIPTIC CURVES OVER Q

with A, B ∈ Z. Then 1 1 ˆ ) − 1 h(P ) − h(j) − h(∆) − 0.973 ≤ h(P 8 12 2 1 1 ≤ h(j) + h(∆) + 1.07 12 12 for all P ∈ E(Q). Here ∆ = −16(4A3 + 27B 2 ) and j = −1728(4A)3 /∆. For the curve y 2 = x3 − 25x, we have ∆ = 106 and j = 1728. Therefore, ˆ ) − 1 h(P ) < 2.843 −3.057 < h(P 2 for all P ∈ E(Q). The points (0, 0), (5, 0), (−5, 0), (−4, 6) generate the group E(Q)/2E(Q). The first three of these points have canonical height 0 since they are torsion points. The point (−4, 6) has canonical height 0.94974 . . . (this can be calculated using the series (8.5)). The proof of Theorem 8.17 shows that the points with canonical height at most 0.94974 . . . generate E(Q). Theorem 8.23 says that such points have noncanonical height h(P ) < 8.02. Since e8.02 ≈ 3041, the nonlogarithmic height of the x-coordinate is at most 3041. Therefore, we need to find all points (x, y) ∈ E(Q) such that x=

a b

with Max(|a|, |b|) ≤ 3041.

It is possible to find all such points using a computer. The fact that the denominator of x must be a perfect square can be used to speed up the search. We find the points (0, 0),

(−5, 0),

(5, 0),

(−4, 6)

(45, −300) = (−5, 0) + (−4, 6) (25/4, 75/8) = (0, 0) + (−4, 6) (−5/9, −100/27) = (5, 0) + (−4, 6) (1681/144, −62279/1728) = 2(−4, 6) and the negatives of these points. Since these points generate E(Q), we conclude that (0, 0), (5, 0), (−5, 0), (−4, 6) generate E(Q). REMARK 8.24 In Chapter 1, we needed to find an x such that x, x − 5, and x + 5 were all squares. We did this by starting with the point (−4, 6) and finding the other point of intersection of the tangent line with the curve. In effect, we computed 412 −62279 ) 2(−4, 6) = ( 2 , 12 1728 and miraculously obtained x = 412 /122 with the desired property. We now see that this can be explained by the fact that φ is a homomorphism. Since

SECTION 8.4 EXAMPLES

229

φ(2P ) = (1, 1, 1) for any point P , we always obtain an x such that x, x − 5, and x+5 are squares when we double a point on the curve y 2 = x(x−5)(x+5).

Example 8.9 One use of descent is to find points on elliptic curves. The idea is that in the equations x − e1 = au2 x − e2 = bv 2 x − e3 = cw2 , the numerators and denominators of u, v, w are generally smaller than those of x. Therefore, an exhaustive search for u, v, w is faster than searching for x directly. For example, suppose we are looking for points on y 2 = x3 − 36x. One of the triples that we encounter is (a, b, c) = (3, 6, 2). This gives the equations x = 3u2 x − 6 = 6v 2 x + 6 = 2w2 . These can be written as

which simplify to

3u2 − 6v 2 = 6,

2w2 − 3u2 = 6,

u2 − 2v 2 = 2,

2w2 − 3u2 = 6.

A quick search through small values of u yields (u, v, w) = (2, 1, 3). This gives (x, y) = (12, 36). Note that the value of u is smaller than x. Of course, we are lucky in this example since the value of u turned out to be integral. Otherwise, we would have had to search through values of u with small numerator and small denominator. The curve y 2 = x3 −36x can be transformed to the curve y 2 = x(x+1)(2x+ 1)/6 that we met in Chapter 1 (see Exercise 1.5). The point (1/2, 1/2) on that curve corresponds to the point (12, 36) that we found here. Example 8.10 The elliptic curves that we have seen up to now have had small generators for their Mordell-Weil groups. However, frequently the generators of MordellWeil groups have very large heights. For example, the Mordell-Weil group of

230

CHAPTER 8 ELLIPTIC CURVES OVER Q

the elliptic curve (see [76]) y 2 = x3 − 59643 over Q is infinite cyclic, generated by
 62511752209 15629405421521177 , 9922500 31255875000 (there are much larger examples, but the margin is not large enough to contain them). This curve can be transformed to the curve u3 + v 3 = 94 by the techniques of Section 2.5.2.

8.5 The Height Pairing Suppose we have points P1 , . . . , Pr that we want to prove are independent. How do we do it? THEOREM 8.25 ˆ be the canonical height Let E be an elliptic curve defined over Q and let h function. For P, Q ∈ E(Q), define the height pairing ˆ + Q) − h(P ˆ ) − h(Q). ˆ P, Q = h(P Then  ,  is bilinear in each variable. If P1 , . . . , Pr are points in E(Q), and the r × r determinant det(Pi , Pj )
= 0, then P1 , . . . , Pr are independent (that is, if there are integers ai such that a1 P1 + · · · + ar Pr = ∞, then ai = 0 for all i). PROOF The second part of the theorem is true for any bilinear pairing. Let’s assume for the moment that the pairing is bilinear and prove the second part. Suppose a1 P1 + · · · + ar Pr = ∞, and ar
= 0, for example. Then ar times the last row of the matrix Pi , Pj  is a linear combination of the first r − 1 rows. Therefore, the determinant vanishes. This contradiction proves that the points must be independent. The proof of bilinearity is harder. Since the pairing is symmetric (that is, P, Q = Q, P ), it suffices to prove bilinearity in the first variable: P + Q, R = P, R + Q, R. Recall the parallelogram law: ˆ + T ) + h(S ˆ − T ) = 2h(S) ˆ ˆ ). h(S + 2h(T

231

SECTION 8.6 FERMAT’S INFINITE DESCENT

Successively letting (S, T ) = (P + Q, R), (P, Q − R), (P + R, Q), and (Q, R) yields the following equations: ˆ + Q + R) + h(P ˆ + Q − R) = 2h(P ˆ + Q) + 2h(R) ˆ h(P ˆ ) + 2h(Q ˆ − R) = h(P ˆ + Q − R) + h(P ˆ − Q + R) 2h(P ˆ + R + Q) + h(P ˆ + R − Q) = 2h(P ˆ + R) + 2h(Q) ˆ h(P ˆ ˆ ˆ + R) + 2h(Q ˆ − R). 4h(Q) + 4h(R) = 2h(Q Adding together all of these equations yields   ˆ + Q + R) − h(P ˆ + Q) − h(R) ˆ 2 h(P   ˆ + R) − h(P ˆ ) − h(R) ˆ ˆ + R) − h(Q) ˆ ˆ . = 2 h(P + h(Q − h(R) Dividing by 2 and using the definition of the pairing yields the result. Example 8.11 Let E be given by y 2 = x3 + 73. Let P = (2, 9) and Q = (3, 10). Then P, P  = 0.9239 . . . P, Q = −0.9770 . . . Q, Q = Since


det

1.9927 . . . .

0.9239 −0.9770 −0.9770 1.9927

 = 0.8865 · · ·
= 0,

the points P and Q are independent on E.

8.6 Fermat’s Infinite Descent The methods in this chapter have their origins in Fermat’s method of infinite descent. In the present section, we’ll give an example of Fermat’s method and show how it relates to the calculations we have been doing. Consider the equation a4 + b4 = c2 .

(8.12)

The goal is to show that it has no solutions in nonzero integers a, b, c. Recall the parameterization of Pythagorean triples:

232

CHAPTER 8 ELLIPTIC CURVES OVER Q

PROPOSITION 8.26 Suppose x, y, z are relatively prime positive integers such that x2 + y 2 = z 2 . Then one of x, y is even. Suppose it is x. Then there exist positive integers m, n such that x = 2mn,

y = m2 − n2 ,

z = m2 + n2 .

Moreover, gcd(m, n) = 1 and m
≡ n (mod 2). This result is proved in most elementary number theory texts. Alternatively, see Exercise 2.21. Suppose now that there are nonzero integers a, b, c satisfying (8.12). We may assume a, b, c are positive and relatively prime. Proposition 8.26 implies we may assume that a is even and that there exist integers m, n with a2 = 2mn,

b2 = m2 − n2 ,

c = m2 + n2 .

If n is odd, then m is even, which implies that b2 ≡ −1 (mod 4). This is impossible, so n is even and m is odd. Write n = 2q for some integer q. We then have (a/2)2 = mq. Since gcd(m, n) = 1, we also have gcd(m, q) = 1. Since m, q are relatively prime and their product is a square, it follows easily from looking at the prime factorizations of m, q that both m and q must be squares: m = t2 ,

q = u2

for some positive integers t, u. Therefore, we have b2 = m2 − n2 = t4 − 4u4 . This may be rewritten as

(2u2 )2 + b2 = t4 .

Since m is odd, t is odd. Since gcd(m, q) = 1, we also have gcd(t, u) = 1. Therefore, gcd(t, 2u2 ) = 1. Proposition 8.26 implies that 2u2 = 2vw,

b = v 2 − w2 ,

t2 = v 2 + w 2

with gcd(v, w) = 1. Since the product vw is a square, it follows that both v and w are squares: v = r2 , w = s2 . Therefore, t2 = v 2 + w2 becomes t2 = r4 + s4 .

SECTION 8.6 FERMAT’S INFINITE DESCENT

233

This is the same equation we started with. Since 0 < t ≤ t4 = m2 < c,

(8.13)

we have proved that for every triple (a, b, c) with a4 + b4 = c2 , there is another solution (r, s, t) with 0 < t < c. We therefore have an infinitely descending sequence c > t > . . . of positive integers. This is impossible. Therefore, there is no solution (a, b, c). Observe that m2 > n2 , so c < 2m2 = 2t4 . Combining this with (8.13) yields t4 < c < 2t4 . This implies that the logarithmic height of t is approximately one fourth the logarithmic height of c. Recall that the canonical height of 2P is four times the height of P . Therefore, we suspect that Fermat’s procedure amounts to halving a point on an elliptic curve. We’ll show that this is the case. We showed in Section 2.5.3 that the transformation x=

2(z + 1) , w2

maps the curve

y=

4(z + 1) w3

C : w2 = z 4 + 1

to the curve

E : y 2 = x3 − 4x.

If we start with

a4 + b4 = c2 ,

then the point

a c (z, w) = ( , 2 ) b b lies on C. It maps to a point (x, y) on E, with c + 1) 2 2(c + b2 ) b x= = 2 (a/b) a2 2(t4 + 4r4 s4 + (r4 − s4 )2 ) = (2rst)2
2 t = . rs 2(

This implies that x−2 =

t2 − 2r2 s2 = (rs)2

t2 + 2r2 s2 x+2 = = (rs)2





r2 − s2 rs r2 + s2 rs

2 2 .

234

CHAPTER 8 ELLIPTIC CURVES OVER Q

Let φ be the map in Theorem 8.14. Since x, x − 2, x + 2 are squares, φ(x, y) = 1. Theorem 8.14 implies that (x, y) = 2P for some point P ∈ E(Q). Let’s find P . We follow the procedure used to prove Theorem 8.14. In the notation of the proof of Theorem 8.14, the polynomial f (T ) =

t s r2 − t 2 − T+ T rs rs 4rs

satisfies

t r2 − s2 r2 + s2 , f (2) = , f (−2) = . rs rs rs The formulas from the proof of Theorem 8.14 say that the point (x1 , y1 ) with f (0) =

−2s2 −s/2r = 2 − t)/4rs r −t 4rs y1 = 2 r −t

x1 =

(r2

satisfies 2(x1 , y1 ) = (x, y). The transformation z=

2x , y

w = −1 +

2x3 y2

maps E to C. The point (x1 , y1 ) maps to 2x1 s =− y1 r 2x3 s4 w1 = −1 + 21 = −1 − 2 2 y1 r (r − t) 4 4 2 t2 − r 2 t r +s −r t =− 2 2 =− 2 2 r (r − t) r (r − t) t = 2. r z1 =

We have




t r2




2 =

−s r

4 + 1.

Therefore, the solution (r, −s, t) corresponds to a point P on E such that 2P corresponds to (a, b, c). Fermat’s procedure, therefore, can be interpreted as starting with a point on an elliptic curve and halving it. The height decreases by a factor of 4. The procedure cannot continue forever, so we must conclude that there are no nontrivial solutions to start with.

SECTION 8.6 FERMAT’S INFINITE DESCENT

235

On y 2 = x3 −4x, the points of order 2 played a role in the descent procedure in Section 8.2. We showed that the image of the map φ was equal to the image of E[2] under φ. If we start with a possible point P ∈ E(Q), then φ(P ) = φ(T ) for some T ∈ E[2]. Therefore, P − T = 2Q for some Q ∈ E(Q). In Fermat’s method, the points of order 2 appear more subtly. If (x, y) on E corresponds to the solution a, b, c of a4 + b4 = c2 , then a calculation shows that (x, y) + (0, 0) ←→ −a, b, −c (x, y) + (2, 0) ←→ −b, a, c (x, y) + (−2, 0) ←→ b, a, −c. Since we assumed that a was even and b was odd, we removed the solutions ±b, a, ∓c from consideration. The solution −a, b, −c was implicitly removed by the equation c = m2 + n2 , which required c to be positive. Therefore, the choices that were made, which seemed fairly natural and innocent, were exactly those that caused φ(P ) to be trivial and thus allowed us to halve the point. Finally, we note that in the descent procedure for E in Section 8.2, we eliminated many possibilities by congruences mod powers of 2. The considerations also appear in Fermat’s method, for example, in the argument that n is even. In Fermat’s descent, the equation b2 = t4 − 4u4 appears in an intermediate stage. This means we are working with the point (w, z) = (u/t, b/t2 ) on the curve C
: w2 = −4z 4 + 1. The transformation (see Theorem 2.17) x
=

2(z + 1) , w2

y
=

4(z + 1) w3

maps C
to the elliptic curve 2

3

E
: y
= x
+ 16x
. There is a map ψ : E → E
given by





(x , y ) = ψ(x, y) =




y 2 y(x2 + 4) , x2 x2

 .

There is also a map ψ
: E
→ E given by

2 2 y
y
(x
− 16)


(x, y) = ψ (x , y ) = , . 4x
2 8x
2

236

CHAPTER 8 ELLIPTIC CURVES OVER Q

It can be shown that ψ
◦ ψ is multiplication by 2 on E. Fermat’s descent procedure can be analyzed in terms of the maps ψ and ψ
. More generally, if E is an elliptic curve given by y 2 = x3 + Cx2 + Ax and E
2 3 2 is given by y
= x
− 2Cx
+ (C 2 − 4A)x
, then there are maps ψ : E → E
given by
2  y y(x2 − A) (x
, y
) = ψ(x, y) = , , ψ(0, 0) = ψ(∞) = ∞, x2 x2 and ψ
: E
→ E given by

2 2 y
y
(x
− C 2 + 4A)


(x, y) = ψ (x , y ) = , , 4x
2 8x
2

ψ
(0, 0) = ψ
(∞) = ∞.

The composition ψ
◦ ψ is multiplication by 2 on E. It is possible to do descent and prove the Mordell-Weil theorem using the maps ψ and ψ
. This is a more powerful method than the one we have used since it requires only one two-torsion to be rational, rather than all three. For details, see [114], [109]. The maps ψ and ψ
can be shown to be homomorphisms between E(Q) and
E (Q) and are described by rational functions. In general, for elliptic curves E1 and E2 over a field K, a homomorphism from E1 (K) to E2 (K) that is given by rational functions is called an isogeny.

8.7 2-Selmer Groups; Shafarevich-Tate Groups Let’s return to the basic descent procedure of Section 8.2. We start with an elliptic curve E defined over Q by y 2 = (x − e1 )(x − e2 )(x − e3 ) with all ei ∈ Z. This leads to equations x − e1 = au2 x − e2 = bv 2 x − e3 = cw2 . These lead to the equations au2 − bv 2 = e2 − e1 ,

au2 − cw2 = e3 − e1 .

This defines a curve Ca,b,c in u, v, w. In fact, it is the intersection of two quadratic surfaces. If it has a rational point, then it can be changed to an

SECTION 8.7 2-SELMER GROUPS; SHAFAREVICH-TATE GROUPS

237

elliptic curve, as in Section 2.5.4. A lengthy calculation, using the formulas of Theorem 2.17, shows that this elliptic curve is the original curve E. If Ca,b,c does not have any rational points, then the triple (a, b, c) is eliminated. The problem is how to decide which curves Ca,b,c have rational points. In the examples of Section 8.2, we used considerations of sign and congruences mod powers of 2 and 5. These can be interpreted as showing that the curves Ca,b,c that are being eliminated have no real points, no 2-adic points, or no 5-adic points (for a summary of the relevant properties of p-adic numbers, see Appendix A). For example, when we used inequalities to eliminate the triple (a, b, c) = (−1, 1, −1) for the curve y 2 = x(x − 2)(x + 2), we were showing that the curve C−1,1,−1 : −u2 − v 2 = 2, −u2 + w2 = −2 has no real points. When we eliminated (a, b, c) = (1, 2, 2), we used congruences mod powers of 2. This meant that C1,2,2 : u2 − 2v 2 = 2,

u2 − 2w2 = −2

has no 2-adic points. The 2-Selmer group S2 is defined to be the set of (a, b, c) such that Ca,b,c has a real point and has p-adic points for all p. For notational convenience, the real numbers are sometimes called the ∞-adics Q∞ . Instead of saying that something holds for the reals and for all the p-adics Qp , we say that it holds for Qp for all p ≤ ∞. Therefore, S2 = {(a, b, c) | Ca,b,c (Qp ) is nonempty for all p ≤ ∞}. Therefore, S2 is the set of (a, b, c) that cannot be eliminated by sign or congruence considerations. It is a group under multiplication mod squares. Namely, we regard 2 2 2 S2 ⊂ (Q× /Q× ) ⊕ (Q× /Q× ) ⊕ (Q× /Q× ). The prime divisors of a, b, c divide (e1 − e2 )(e1 − e3 )(e2 − e3 ), which implies that S2 is a finite group. The descent map φ gives a map φ : E(Q)/2E(Q) → S2 . The 2-torsion in the Shafarevich-Tate group is the cokernel of this map: 2

= S2 /Im φ.

is the Cyrillic letter “sha,” which is the first letter of “ShafareThe symbol vich” (in Cyrillic). We’ll define the full group in Section 8.9. The group 2 represents those triples (a, b, c) such that Ca,b,c has a p-adic point for all p ≤ ∞, but has no rational point. If 2
= 1, then it is much more difficult to find the points on the elliptic curve E. If (a, b, c) represents a nontrivial

238

CHAPTER 8 ELLIPTIC CURVES OVER Q

element of , then it is usually difficult to show that Ca,b,c does not have rational points. Suppose we have an elliptic curve on which we want to find rational points. If we do a 2-descent, then we encounter curves Ca,b,c . If we search for points on a curve Ca,b,c and also try congruence conditions, both with no success, then perhaps (a, b, c) represents a nontrivial element of 2 . Or we might need to search longer for points. It is difficult to decide which is the case. Fortunately for Fermat, the curves on which he did 2-descents had trivial 2. The possible nontriviality of the group 2 means that we do not have a general procedure for finding the rank of the group E(Q). The group S2 can be computed exactly and allows us to obtain an upper bound for the rank. But we do not know how much of S2 is the image of φ and how much consists of triples (a, b, c) representing elements of a possibly nontrivial 2 . Since the generators of E(Q) can sometimes have very large height, it is sometimes quite difficult to find points representing elements of the image of φ. Without this information, we don’t know that the triple is actually in the image. The Shafarevich-Tate group is often called the Tate-Shafarevich group in English and the Shafarevich-Tate group in Russian. Since comes after T in the Cyrillic alphabet, these names for the group, in each language, are the reverse of the standard practice in mathematics, which is to put names was given to the group by Cassels (see in alphabetical order. The symbol [23, p. 109]).

REMARK 8.27 quadratic form

The Hasse-Minkowski theorem (see [104]) states that a

Q(x1 , . . . , xn ) =

n  n 

aij xi xj

i=1 j=1

with aij ∈ Q represents 0 nontrivially over Q (that is, Q(x1 , . . . , xn ) = 0 for some (0, . . . , 0)
= (x1 , . . . , xn ) ∈ Qn ) if and only if it represents 0 nontrivially in Qp for all p ≤ ∞. This is an example of a local-global principle. For a general algebraic variety over Q (for example, an algebraic curve), we can ask whether the local-global principle holds. Namely, if the variety has a p-adic point for all p ≤ ∞, does it have a rational point? Since it is fairly easy to determine when a variety has p-adic points, and most varieties fail to have p-adic points for at most a finite set of p, this would make it easy to decide when a variety has rational points. However, the local-global principle fails in many cases. In Section 8.8, we’ll give an example of a curve, one that arises in a descent on an elliptic curve, for which the local-global principle fails.

SECTION 8.8 A NONTRIVIAL SHAFAREVICH-TATE GROUP

239

8.8 A Nontrivial Shafarevich-Tate Group Let E be the elliptic curve over Q given by y 2 = x(x − 2p)(x + 2p), where p is a prime. If we do a 2-descent on E, we encounter the equations x = u2 x − 2p = pv 2 x + 2p = pw2 . These yield the curve defined by the intersection of two quadratic surfaces: C1,p,p : u2 − pv 2 = 2p,

u2 − pw2 = −2p.

(8.14)

THEOREM 8.28 If p ≡ 9 (mod 16), then C1,p,p has q-adic points for all primes q ≤ ∞, but has no rational points. PROOF First, we’ll show that there are no rational points. Suppose there is a rational point (u, v, w). We may assume that u, v, w > 0. If p divides the denominator of v, then an odd power of p is in the denominator of pv 2 and an even power of p is in the denominator of u2 , so u2 − pv 2 cannot be an integer, contradiction. Therefore, u, v, and hence also w have no p in their denominators. It follows easily that the denominators of u, v, w are equal. Since u2 = 2p + pv 2 , we have u ≡ 0 (mod p). Write u=

pr , e

s v= , e

t w= , e

with positive integers r, s, t, e and with gcd(r, e) = gcd(s, e) = gcd(t, e) = 1. The equations for C1,p,p become pr2 − s2 = 2e2 , Subtracting yields

pr2 − t2 = −2e2 .

s2 + 4e2 = t2 .

If s is even, then pr2 = s2 + 2e2 is even, so r is even. Then 2e2 = pr2 − s2 ≡ 0 (mod 4), which implies that e is even. This contradicts the fact that gcd(s, e) = 1. Therefore, s is odd, so gcd(s, 2e) = 1.

240

CHAPTER 8 ELLIPTIC CURVES OVER Q

By Proposition 8.26, there exist integers m, n with gcd(m, n) = 1 such that 2e = 2mn,

s = m2 − n2 ,

t = m2 + n2 .

Therefore, pr2 = s2 + 2e2 = (m2 − n2 )2 + 2(mn)2 = m4 + n4 . Let q be a prime dividing r. Proposition 8.26 says that m
≡ n (mod 2), which implies that pr2 must be odd. Therefore, q
= 2. Since gcd(m, n) = 1, at least one of m, n is not divisible by q. It follows that both m, n are not divisible by q, since m4 + n4 ≡ 0 (mod q). Therefore, (m/n)4 ≡ −1 (mod q). It follows that m/n has order 8 in F× q , so q ≡ 1 (mod 8). Since r is a positive integer and all prime factors of r are 1 mod 8, we obtain r≡1

(mod 8).

Therefore, r2 ≡ 1 (mod 16), so m4 + n4 = pr2 ≡ 9

(mod 16).

But, for an arbitrary integer j, we have j 4 ≡ 0, 1 (mod 16). Therefore, m4 + n4 ≡ 0, 1, 2

(mod 16),

so pr2
= m4 +n4 . This contradiction proves that C1,p,p has no rational points. We now need to show that C1,p,p has q-adic points for all primes q ≤ ∞. The proof breaks into four cases: q = ∞, q = 2, q = p, and all other q. The case of the reals is easy. Let u be large enough that u2 > 2p. Then choose v, w satisfying (8.14). For q = 2, write u = 1/2,

v = v1 /2,

w = w1 /2.

The equations for C1,p,p become 1 − pv12 = 8p,

1 − pw12 = −8p.

We need to solve v12 = (1 − 8p)/p,

w12 = (1 + 8p)/p

in the 2-adics. Since (1 ± 8p)/p ≡ 1

(mod 8),

and since any number congruent to 1 mod 8 has a 2-adic square root (see Appendix A), v1 , w1 exist. Therefore, C1,p,p has a 2-adic point.

SECTION 8.8 A NONTRIVIAL SHAFAREVICH-TATE GROUP

241

Now let’s consider q = p. Since p ≡ 1 (mod 4), there is a square root of −1 mod p. Since p ≡ 1 (mod 8), there is a square root of −2 mod p. Therefore, both 2 and −2 have square roots mod p. Hensel’s lemma (see Appendix A) implies that both 2 and −2 have square roots in the p-adics. Let √ √ u = 0, v = −2, w = 2. Then u, v, w is a p-adic point on C1,p,p . Finally, we need to consider q
= 2, p, ∞. From a more advanced standpoint, we could say that the curve C1,p,p is a curve of genus 1 and that Hasse’s theorem holds for such curves. If we use the estimates from Hasse’s theorem, then we immediately find that C1,p,p has points mod q for all q (except maybe for a few small q, since we are not looking at the points at infinity on C1,p,p ). However, we have only proved Hasse’s theorem for elliptic curves, rather than for arbitrary genus 1 curves. In the following, we’ll use Hasse’s theorem only for elliptic curves and show that C1,p,p has points mod q. Hensel’s lemma then will imply that there is a q-adic point. Subtracting the two equations defining C1,p,p allows us to put the equations into a more convenient form: w2 − v 2 = 4,

u2 − pv 2 = 2p.

(8.15)

Suppose we have a solution (u0 , v0 , w0 ) mod q. It is impossible for both u0 and w0 to be 0 mod q. Suppose u0 ≡ 0 (mod q). Then w0
≡ 0 (mod q). Also, v0
≡ 0 (mod q). Let u = 0. Since −pv02 ≡ 2p (mod q), Hensel’s lemma says that there exists v ≡ v0 (mod q) in the q-adics such that −pv 2 = 2p. Applying Hensel’s lemma again gives the existence of w ≡ w0 satisfying w2 −v 2 = 4. Therefore, we have found a q-adic point. Similarly, if w0 ≡ 0 (mod q), there is a q-adic point. Finally, suppose u0
≡ 0 (mod q) and w0
≡ 0 (mod q). Choose any v ≡ v0 (mod q). Now use Hensel’s lemma to find u, w. This yields a q-adic point. It remains to show that there is a point mod q. Let n be a quadratic 2 2 nonresidue mod q. Then every element of F× q is either of the form u or nu . Consider the curve C
: w2 − v 2 = 4,

nu2 − pv 2 = 2p.

Let N be the number of points mod q on C1,p,p and let N
be the number of points mod q on C
. (We are not counting points at infinity.) LEMMA 8.29 N + N
= 2(q − 1). PROOF

Let x
≡ 0 (mod q). Solving w + v ≡ x,

w − v ≡ 4/x (mod q)

242

CHAPTER 8 ELLIPTIC CURVES OVER Q

yields a pair (v, w) for each x. There are q − 1 choices for x, hence there are q − 1 pairs (v, w) satisfying w2 − v 2 = 4. Let (v, w) be such a pair. Consider the congruences u2 ≡ 2p + pv 2

(mod q) and nu2 ≡ 2p + pv 2

(mod q).

If 2p + pv 2
≡ 0 (mod q), then exactly one of these has a solution, and it has 2 solutions. If 2p + pv 2 ≡ 0 (mod q), then both congruences have 1 solution. Therefore, each of the q − 1 pairs (v, w) contributes 2 to the sum N + N
, so N + N
= 2(q − 1). The strategy now is the following. If N > 0, we’re done. If N
> 0, then C
can be transformed into an elliptic curve with approximately N
points. Hasse’s theorem then gives a bound on N
, which will show that N = 2(q − 1) − N
> 0, so there must be points on C1,p,p . LEMMA 8.30 If q ≥ 11, then N > 0. PROOF If N = 0 then N
= 2(q−1) > 0, by Lemma 8.29. In Section 2.5.4, we showed how to start with the intersection of two quadratic surfaces and a point and obtain an elliptic curve. Therefore, we can transform C
to √ an elliptic curve E
. By Hasse’s theorem, E
has less than q + 1 + 2 q points. We need to check that every point on C
gives a point on E
. In the parameterization v=

4t , 1 − t2

w=

2 + 2t2 1 − t2

(8.16)

of w2 − v 2 = 4, the value t = ∞ corresponds to (v, w) = (0, −2). All of the other points (v, w) correspond to finite values of t. No (finite) pair (v, w) corresponds to t = ±1 (the lines through (0, 2) of slope t = ±1 are parallel to the asymptotes of the hyperbola). Substituting the parameterization (8.16) into nu2 − pv 2 = 2p yields the curve Q
:

u21 =

2p 4 (t + 6t2 + 1), n

where u1 = (1 − t2 )u. A point on C
with (v, w)
= (0, −2) yields a finite point on the quartic curve Q
. Since C
has 2(q − 1) > 1 points mod q, there is at least one finite point on Q
. Section 2.5.3 describes how to change Q
to an elliptic curve E
(the case where Q
is singular does not occur since Q
is easily shown to be nonsingular mod q when q
= 2, p). Every point mod q on Q
(including those at infinity, if they are defined over Fq ) yields a point (possibly ∞) on E
(points at infinity on Q
yield points of order 2 on E
).

SECTION 8.8 A NONTRIVIAL SHAFAREVICH-TATE GROUP

243

Therefore, the number of points on C
is less than or equal to the number of points on E
. By Hasse’s theorem, √ 2(q − 1) = N
≤ q + 1 + 2 q. This may be rearranged to obtain √ ( q − 1)2 ≤ 4, which yields q ≤ 9. Therefore, if q ≥ 11, we must have N
= 0. It remains to treat the cases q = 3, 5, 7. First, suppose p is a square mod q. There are no points on C1,p,p with coordinates in F3 , for example, so we introduce denominators. Let’s try u = u1 /q,

v = 1/q,

w = w1 /q.

Then we want to solve w12 = 1 + 4q 2 ,

u21 = p + 2pq 2 .

Since p is assumed to be a square mod q, Hensel’s lemma implies that there are q-adic solutions u1 , w1 . Now suppose that p is not a square mod q. Divide the second equation in (8.15) by p to obtain w2 − v 2 = 4,

1 2 u − v 2 = 2. p

Let n be any fixed quadratic nonresidue mod q, and write 1/p ≡ nx2 (mod q). Letting u1 = xu, we obtain w2 − v 2 = 4,

nu21 − v 2 = 2.

For q = 3 and q = 5, we may take n = 2 and obtain w2 − v 2 ≡ 4,

2u21 − v 2 ≡ 2

(mod q).

This has the solution (u1 , v, w) = (1, 0, 2). As above, Hensel’s lemma yields a q-adic solution. For q = 7, take n = 3 to obtain w2 − v 2 ≡ 4,

3u21 − v 2 ≡ 2

(mod 7).

This has the solution (u1 , v, w) = (3, 2, 1), which yields a 7-adic solution. Therefore, we have shown that there is a q-adic solution for all q ≤ ∞. This completes the proof of Theorem 8.28.

244

CHAPTER 8 ELLIPTIC CURVES OVER Q

8.9 Galois Cohomology In this section, we give the definition of the full Shafarevich-Tate group. This requires reinterpreting and generalizing the descent calculations in terms of Galois cohomology. Fortunately, we only need the first two cohomology groups, and they can be defined in concrete terms. Let G be a group and let M be an additive abelian group on which G acts. This means that each g ∈ G gives a automorphism g : M → M . Moreover, (g1 g2 )(m) = g1 (g2 (m)) for all m ∈ M and all g1 , g2 ∈ G. We call such an M a G-module. One possibility is that g is the identity map for all g ∈ G. In this case, we say that the action of G is trivial. If G is a topological group, and M has a topology, then we require that the action of G on M be continuous. We also require all maps to be continuous. In the cases below where the groups have topologies, this will always be the case, so we will not discuss this point further. A homomorphism φ : M1 → M2 of G-modules is a homomorphism of abelian groups that is compatible with the action of G: φ(gm1 ) = g φ(m1 ) for all g ∈ G and all m1 ∈ M1 . Note that φ(m1 ) is an element of M2 , so g φ(m1 ) is the action of g on an element of M2 . An exact sequence 0 → M1 → M2 → M3 → 0 is a short way of writing that the map from M1 to M2 is injective, the map from M2 to M3 is surjective, and the image of M1 → M2 is the kernel of M2 → M3 . The most common situation is when M1 ⊆ M2 and M3 = M2 /M1 . More generally, a sequence of abelian groups and homomorphisms ··· → A → B → C → ··· is said to be exact at B if the image of A → B is the kernel of B → C. Such a sequence is said to be exact if it is exact at each group in the sequence. Define the zeroth cohomology group to be H 0 (G, M ) = M G = {m ∈ M | gm = m for all g ∈ G}. For example, if G acts trivially, then H 0 (G, M ) = M . Define the cocycles Z(G, M ) = { maps f : G → M | f (g1 g2 ) = f (g1 ) + g1 f (g2 ) for all g1 , g2 ∈ G}.

SECTION 8.9 GALOIS COHOMOLOGY

245

The maps f are (continuous) maps of sets that are required to satisfy the given condition. Note that g1 f (g2 ) means that we evaluate f (g2 ) and obtain an element of M , then act on this element of M by the automorphism g1 . The set Z is sometimes called the set of twisted homomorphisms from G to M . It is a group under addition of maps. We note one important case. If G acts trivially on M , then Z(G, M ) = Hom(G, M ) is the set of group homomorphisms from G to M . There is an easy way to construct elements of Z(G, M ). Let m be a fixed element of M and define fm (g) = gm − m. Then fm gives a map from G to M . Since fm (g1 g2 ) = g1 (g2 m) − m = g1 m − m + g1 (g2 m − m) = fm (g1 ) + g1 fm (g2 ), we have fm ∈ Z(G, M ). Let B(G, M ) = {fm | m ∈ M }. Then B(G, M ) ⊆ Z(G, M ) is called the set of coboundaries. Define the first cohomology group H 1 (G, M ) = Z/B. In the important special case where G acts trivially, B(G, M ) = 0 since gm − m = 0 for all g, m. Therefore H 1 (G, M ) = Hom(G, M ) is simply the set of group homomorphisms from G to M . A homomorphism φ : M1 → M2 of G-modules induces a map φ∗ : H j (G, M1 ) → H j (G, M2 ) of cohomology groups for j = 0, 1. For H 0 , this is simply the restriction of φ to M1G . Note that if gm1 = m1 , then g φ(m1 ) = φ(gm1 ) = φ(m1 ), so φ maps M1G into M2G . For H 1 , we obtain φ∗ by taking an element f ∈ Z and defining (φ∗ (f ))(g) = φ(f (g)). It is easy to see that this induces a map on cohomology groups. The main property we need is the following.

246

CHAPTER 8 ELLIPTIC CURVES OVER Q

PROPOSITION 8.31 An exact sequence 0 → M1 → M2 → M3 → 0 of G-modules induces a long exact sequence 0 → H 0 (G, M1 ) → H 0 (G, M2 ) → H 0 (G, M3 ) → H 1 (G, M1 ) → H 1 (G, M2 ) → H 1 (G, M3 ) of cohomology groups. For a proof, see any book on group cohomology, for example [132], [21], or [6]. The hardest part of the proposition is the existence of the map from H 0 (G, M3 ) to H 1 (G, M1 ). Suppose now that we have an elliptic curve defined over Q. Let n be a positive integer. Multiplication by n gives an endomorphism of E. By Theorem 2.22, it is surjective from E(Q) → E(Q), since Q is algebraically closed. Therefore, we have an exact sequence n

0 → E[n] → E(Q) → E(Q) → 0.

(8.17)

Let G = Gal(Q/Q) be the Galois group of Q/Q. The reader who doesn’t know what this group looks like should not worry. No one does. Much of modern number theory can be interpreted as trying to understand the structure of this group. The one property we need at the moment is that H 0 (G, E(Q)) = E(Q)G = E(Q). Applying Proposition 8.31 to the exact sequence (8.17) yields the long exact sequence n

0 → E(Q)[n] → E(Q) → E(Q) → H 1 (G, E[n]) → H 1 (G, E(Q)) → H 1 (G, E(Q)). n

This induces the short exact sequence 0 → E(Q)/nE(Q) → H 1 (G, E[n]) → H 1 (G, E(Q))[n] → 0,

(8.18)

where we have written A[n] for the n-torsion in an abelian group A. This sequence is similar to the sequence 0 → E(Q)/2E(Q) → S2 →

2

→0

that we met in Section 8.7. In the remainder of this section, we’ll show how the two sequences relate when n = 2 and also consider the situation for arbitrary n.

SECTION 8.9 GALOIS COHOMOLOGY

247

First, we give a way to construct elements of H 1 (G, E(Q)). Let C be a curve defined over Q such that C is isomorphic to E over Q. This means that there is a map φ : E → C given by rational functions with coefficients in Q and an inverse function φ−1 : C → E also given by rational functions with coefficients in Q. Let g ∈ G, and let φg denote the map obtained by applying g to the coefficients of the rational functions defining φ. Since C is defined over Q, the map φg maps E to gC = C. Note that g(φ(P )) = (φg )(gP )

(8.19)

for all P ∈ E(Q), since the expression g(φ(P )) means we apply g to everything, while φg means applying g to the coefficients of φ and gP means applying g to P . We have to be a little careful when applying g1 g2 . The rule is φg1 g2 = (φg2 )g1 , since applying g1 g2 to the coefficients of φ means first applying g2 , then applying g1 to the result. We say that a map φ is defined over Q if φg (P ) = φ(P ) for all P ∈ E(Q) and all g ∈ G (this is equivalent to saying that the coefficients of the rational functions defining φ can be taken to be in Q, though proving this requires results such as Hilbert’s Theorem 90). The map φ−1 φg gives a map from E to E. We assume the following: Assumption: Assume that there is a point Tg ∈ E(Q) such that φ−1 (φg (P )) = P + Tg

(8.20)

for all P ∈ E(Q). Equation (8.20) can be rewritten as φg (P ) = φ(P + Tg )

(8.21)

for all P ∈ E(Q). If we let P = (φg )−1 (Q) for a point Q ∈ C(Q), then the assumption becomes φ−1 (Q) = (φg )−1 (Q) + Tg ,

(8.22)

which says that φ−1 and (φg )−1 differ by a translation. We’ll give an example of such a map φ below. LEMMA 8.32 Define τφ : G → E(Q) by τφ (g) = Tg . Then τφ ∈ Z(G, E(Q)).

248

CHAPTER 8 ELLIPTIC CURVES OVER Q

PROOF g1−1 φ(P + Tg1 g2 ) = g1−1 φg1 g2 (P )

= φg2 (g1−1 P ) (by (8.19)) = φ(g1−1 P + Tg2 ) (by (8.21))

= g1−1 φg1 (P + g1 Tg2 ) (by (8.19)) = g1−1 φ(P + g1 Tg2 + Tg1 ) (by (8.21)).

Applying g1 then φ−1 yields Tg1 g2 = g1 Tg2 + Tg1 . This is the desired relation. Suppose we have curves Ci and maps φi : E → Ci , for i = 1, 2, as above. We say that the pairs (C1 , φ1 ) and (C2 , φ2 ) are equivalent if there is a map θ : C1 → C2 defined over Q and a point P0 ∈ E(Q) such that φ−1 2 θφ1 (P ) = P + P0

(8.23)

for all P ∈ E(Q). In other words, if we identify C1 and C2 with E via φ1 and φ2 , then θ is simply translation by P0 . PROPOSITION 8.33 The pairs (C1 , φ1 ) and (C2 , φ2 ) are equivalent if and only if the cocycles τφ1 and τφ2 differ by a coboundary. This means that there is a point P1 ∈ E(Q) such that τφ1 (g) − τφ2 (g) = gP1 − P1 for all g ∈ G. PROOF

For i = 1, 2, denote τφi (g) = Tgi , so φgi (P ) = φi (P + Tgi )

(8.24)

for all P ∈ E(Q). Suppose the pairs (C1 , φ1 ) and (C2 , φ2 ) are equivalent, so there exists θ : C1 → C2 and P0 as above. For any P ∈ E(Q), we have 1 P + Tg1 + P0 = φ−1 2 θφ1 (P + Tg )

= = = = = =

(by (8.23))

g φ−1 2 θφ1 (P ) (by (8.24)) g −1 g g φ−1 2 φ2 (φ2 θφ1 ) (P ) (since θ = θ) −1 g 2 (φ2 θφ1 ) (P ) + Tg (by (8.20)) −1 g(φ−1 P ) + Tg2 (by (8.19)) 2 θφ1 )(g g(g −1 P + P0 ) + Tg2 (by (8.23)) P + gP0 + Tg2 .

SECTION 8.9 GALOIS COHOMOLOGY

Therefore,

249

Tg1 − Tg2 = τφ1 (g) − τφ2 (g) = gP0 − P0 .

Conversely, suppose there exists P1 such that τφ1 (g) − τφ2 (g) = gP1 − P1 .

(8.25)

Define θ : C1 → C2 by θ(Q) = φ2 (φ−1 1 (Q) + P1 ). Clearly, θ satisfies (8.23). We need to show that θ is defined over Q. If Q ∈ C(Q), then θg (Q) = gθ(g −1 Q) (by (8.19))   −1 = gφ2 φ−1 Q) + P1 1 (g = φg2 ((φg1 )−1 (Q) + gP1 ) = φ2 (φ−1 φg2 )((φg1 )−1 (Q) + gP1 )  2 g −1  (by (8.24)) = φ2 (φ1 ) (Q) + gP1 + Tg2  −1  1 = φ2 φ1 (Q) − Tg (g) + gP1 + Tg2 (by (8.22)) = φ2 (φ−1 1 (Q) + P1 ) = θ(Q).

(by (8.25))

Therefore, θ is defined over Q, so the pairs (C1 , φ1 ) and (C2 , φ2 ) are equivalent.

Proposition 8.33 says that we have a map equivalence classes of pairs (C, φ) → H 1 (G, E(Q)). It can be shown that this is a bijection (see [109]). The most important property for us is the following. PROPOSITION 8.34 Let τφ correspond to the pair (C, φ). Then τφ ∈ B(G, E(Q)) (= coboundaries) if and only if C has a rational point (that is, a point with coordinates in Q). PROOF

Let P ∈ E(Q). Then gP + Tg = φ−1 φg (gP ) = φ−1 (gφ(P ))

and

P = φ−1 (φ(P )).

Therefore, Tg = P − gP ⇐⇒ gφ(P ) = φ(P ).

250

CHAPTER 8 ELLIPTIC CURVES OVER Q

If C has a rational point Q, choose P such that φ(P ) = Q. Then gQ = Q for all g implies that Tg = g(−P ) − (−P ) for all g ∈ G. Conversely, if Tg = g(−P ) − (−P ) for all g then gφ(P ) = φ(P ) for all g ∈ G, so φ(P ) is a rational point. Propositions 8.33 and 8.34 give us a reinterpretation in terms of cohomology groups of the fundamental question of when certain curves have rational points. Example 8.12 Consider the curve C1,p,p from Section 8.8. It was given by the equations x = u2 x − 2p = pv 2 x + 2p = pw2 . These were rewritten as w2 − v 2 = 4,

u2 − pv 2 = 2p.

The method of Section 2.5.4 changes this to C : s2 = 2p(t4 + 6t2 + 1). Finally, the transformation √  2p (x + 2p) 2t2 (x − p)  x2 + 4px − 4p2 √ t= , s = − 2p + = 2p y x(x − 2p) 2p (use the formulas of Section 2.5.3, plus a minor change of variables) changes the equation to E : y 2 = x(x − 2p)(x + 2p). We want to relate the curve C1,p,p from Section 8.8 to a cohomology class in H 1 (G, E(Q)). The map φ: E →C (x, y) → (t, s) gives a map from E to C. Since the equations for E and C have coefficients in Q, these curves are defined over Q. However, φ is not defined over Q. A short computation shows that (x, y) + (−2p, 0) = (x1 , y1 )

SECTION 8.9 GALOIS COHOMOLOGY

on E, where x1 = 2p

2p − x , 2p + x

y1 =

251

−8p2 y . (x + 2p)2

Another calculation shows that φ(x1 , y1 ) = (−t, −s). √ √ g Let g ∈ G be such that √ = − 2p. Then φ is the transformation √ g( 2p) obtained by changing 2p to − 2p in the formulas for φ. Therefore, φg (x, y) = (−t, −s) = φ(x1 , y1 ). We obtain

φ−1 φg (x, y) = (x, y) + (−2p, 0). √  √ Now suppose g ∈ G satisfies g 2p = + 2p. Then φg = φ, so φ−1 φg (x, y) = (x, y).

Putting everything together, we see that the pair (C, φ) is of the type considered above. We obtain an element of H 1 (G, E[2]) that can be regarded as an element of H 1 (G, E(Q)). The cocycle τφ is given by √  √ ∞ if g 2p √ = + 2p √ τφ (g) = Tg = (−2p, 0) if g 2p = − 2p The cohomology class of τφ is nontrivial in H 1 (G, E(Q)), and hence also in H 1 (G, E[2]), because C has no rational points. Note that τφ is a homomorphism from G to E[2]. This corresponds to the fact that G acts trivially on E[2] in the present case, so H 1 (G, E[2]) =√Hom(G, E[2]). The kernel of τ is the subgroup of G of index 2 that fixes Q( 2p). In general, if E is given by y 2 = (x − e1 )(x − e2 )(x − e3 ) with e1 , e2 , e3 ∈ Q, then a 2-descent yields curves Ca,b,c , as in Section 8.2. These curves yield elements of H 1 (G, E[2]). The curves that have rational points give cocycles in Z(G, E(Q)) that are coboundaries. We also saw in the descent procedure that a rational point on a curve Ca,b,c comes from a rational point on E. This discussion is summarized by the exact sequence 0 → E(Q)/2E(Q) → H 1 (G, E[2]) → H 1 (G, E(Q))[2] → 0. All of the preceding applies when Q is replaced by a p-adic field Qp with p ≤ ∞. We have an exact sequence 0 → E(Qp )/2E(Qp ) → H 1 (Gp , E[2]) → H 1 (Gp , E(Qp ))[2] → 0, where Gp = Gal(Qp /Qp ).

252

CHAPTER 8 ELLIPTIC CURVES OVER Q

The group Gp can be regarded as a subgroup of G. Recall that cocycles in Z(G, E[2]) are maps from G to E[2] with certain properties. Such maps may be restricted to Gp to obtain elements of Z(Gp , E[2]). A curve Ca,b,c yields an element of H 1 (G, E[2]). This yields an element of H 1 (Gp , E[2]) that becomes trivial in H 1 (Gp , E(Qp )) if and only if Ca,b,c has a p-adic point. In Section 8.7, we defined S2 to be those triples (a, b, c) such that Ca,b,c has a p-adic point for all p ≤ ∞. This means that S2 is the set of triples (a, b, c) such that the corresponding cohomology class in H 1 (G, E[2]) becomes trivial in H 1 (Gp , E(Qp )) for all p ≤ ∞. Moreover, 2 is S2 modulo those triples coming from points in E(Q). All of this can be expressed in terms of cohomology. We can also replace 2 by an arbitrary n ≥ 1. Define the Shafarevich-Tate group to be ⎛ = Ker ⎝H 1 (G, E(Q)) →

⎞



H 1 (Gp , E(Qp ))⎠

p≤∞

and define the n-Selmer group to be ⎛ Sn = Ker ⎝H 1 (Gp , E[n]) →



⎞ H 1 (Gp , E(Qp ))⎠ .

p≤∞

The Shafarevich-Tate group can be thought of as consisting of equivalence classes of pairs (C, φ) such that C has a p-adic point for all p ≤ ∞. This group is nontrivial if there exists such a C that has no rational points. In Section 8.8, we gave an example of such a curve. The n-Selmer group Sn can be regarded as the generalization to n-descents of the curves Ca,b,c that arise in 2-descents. It is straightforward to use the definitions to deduce the basic descent sequence 0 → E(Q)/nE(Q) → Sn →

[n] → 0,

where [n] is the n-torsion in . When one is doing descent, the goal is to obtain information about E(Q)/nE(Q). However, the calculations take place in Sn . The group [n] is the obstruction to transferring information back to E(Q)/nE(Q). The group Sn depends on n. It is finite (we proved this in the case where n = 2 and E[2] ⊆ E(Q)). The group is independent of n. Its n-torsion [n] is finite since it is the quotient of the finite group Sn . It was conjectured by Tate is finite; this is still unproved in and Shafarevich in the early 1960s that general. The first examples where was proved finite were given by Rubin in 1986 (for all CM curves over Q with analytic rank 0; see Section 14.2) and by Kolyvagin in 1987 (for all elliptic curves over Q with analytic rank 0 or 1). No other examples over Q are known.

EXERCISES

253

Exercises 8.1 Show that each of the following elliptic curves has the stated torsion group. (a) (b) (c) (d) (e) (f) (g) (h) (i) (j) (k) (l) (m) (n) (o)

y2 y2 y2 y2 y2 y2 y2 y2 y2 y2 y2 y2 y2 y2 y2

= x3 − 2; 0 = x3 + 8; Z2 = x3 + 4; Z3 = x3 + 4x; Z4 = x3 − 432x + 8208; Z5 = x3 + 1; Z6 = x3 − 1323x + 6395814; Z7 = x3 − 44091x + 3304854; Z8 = x3 − 219x + 1654; Z9 = x3 − 58347x + 3954150; Z10 = x3 − 33339627x + 73697852646; Z12 = x3 − x; Z2 ⊕ Z2 = x3 − 12987x − 263466; Z4 ⊕ Z2 = x3 − 24003x + 1296702; Z6 ⊕ Z2 = x3 − 1386747x + 368636886; Z8 ⊕ Z2

Parameterizations of elliptic curves with given torsion groups can be found in [67]. 8.2 Let E be an elliptic curve over Q given by an equation of the form y 2 = x3 + Cx2 + Ax + B, with A, B, C ∈ Z. (a) Modify the proof of Theorem 8.1 to obtain a homomorphism λr : Er /E3r −→ Zp2r (see [68, pp. 51-52]). (b) Show that (x, y) ∈ E(Q) is a torsion point, then x, y ∈ Z. 8.3 (a) Show that the map λr , applied to the curve y 2 = x3 , is the map of Theorem 2.30 divided by pr and reduced mod p4r . (b) Consider the map λr of Exercise 8.2, applied to the curve E : y 2 = x3 + ax2 . Let ψ be as in Theorem 2.31. The map λr ψ −1 gives a map x y + αx → p−r (mod p2r ). y − αx y Use the Taylor series for log((1 + t)/(1 − t)) to show that the map (2α)λr ψ −1 is p−r times the logarithm map, reduced mod p2r .

254

CHAPTER 8 ELLIPTIC CURVES OVER Q

8.4 Let E be given by y 2 = x3 + Ax + B with A, B ∈ Z. Let P = (x, y) be a point on E. (a) Let 2P = (x2 , y2 ). Show that   y 2 4x2 (3x2 + 4A) − 3x2 + 5Ax + 27B = 4A3 + 27B 2 . (b) Show that if both P and 2P have coordinates in Z, then y 2 divides 4A3 + 27B 2 . This gives another way to finish the proof of the Lutz-Nagell theorem. 8.5 Let E be the elliptic curve over Q given by y 2 + xy = x3 + x2 − 11x. Show that the point
 11 11 ,− P = 4 8 is a point of order 2. This shows that the integrality part of Theorem 8.7 (see also Exercise 8.2), which is stated for Weierstrass equations, does not hold for generalized Weierstrass equations. However, since changing from generalized Weierstrass form to the form in Exercise 8.2 affects only powers of 2 in the denominators, only the prime 2 can occur in the denominators of torsion points in generalized Weierstrass form. 8.6 Show that the Mordell-Weil group E(Q) of the elliptic curve y 2 = x3 −x is isomorphic to Z2 ⊕ Z2 . 8.7 Suppose E(Q) is generated by one point Q of infinite order. Suppose we take R1 = 3Q, which generates E(Q)/2E(Q). Show that the process with P0 = Q and Pi = Rji + 2Pi+1 , as in Section 8.3, never terminates. This shows that a set of representatives of E(Q)/2E(Q) does not necessarily generate E(Q). 8.8 Show that there is a set of representatives of E(Q)/2E(Q) that generates E(Q). (Hint: This mostly follows from the Mordell-Weil theorem. However, it does not handle the odd order torsion. Use Corollary 3.13 to show that the odd order torsion in E(Q) is cyclic. In the set of representatives, use a generator of this cyclic group for the representative of the trivial coset.) 8.9 Let E be an elliptic curve defined over Q and let n be a positive integer. Assume that E[n] ⊆ E(Q). Let P ∈ E(Q) and let Q ∈ E(Q) be such that nQ = P . Define a map δP : Gal(Q/Q) → E[n] by δP (σ) = σQ−Q. (a) Let σ ∈ Gal(Q/Q). Show that σQ − Q ∈ E[n]. (b) Show that δP is a cocycle in Z(G, E[n]).

EXERCISES

255

(c) Suppose we choose Q
with nQ
= P , and thus obtain a cocycle δP
. Show that δP − δP
is a coboundary. (d) Suppose that δP (σ) is a coboundary. Show that there exists Q ∈ E(Q) such that nQ = P . This shows that we have an injection E(Q)/nE(Q) → H 1 (G, E[n]). This is the map of Equation 8.18.

Chapter 9 Elliptic Curves over C The goal of this chapter is to show that an elliptic curve over the complex numbers is the same thing as a torus. First, we show that a torus is isomorphic to an elliptic curve. To do this, we need to study functions on a torus, which amounts to studying doubly periodic functions on C, especially the Weierstrass ℘-function. We then introduce the j-function and use its properties to show that every elliptic curve over C comes from a torus. Since most of the fields of characteristic 0 that we meet can be embedded in C, many properties of elliptic curves over fields of characteristic 0 can be deduced from properties of a torus. For example, the n-torsion on a torus is easily seen to be isomorphic to Zn ⊕ Zn , so we can deduce that this holds for all elliptic curves over algebraically closed fields of characteristic 0 (see Corollary 9.22).

9.1 Doubly Periodic Functions Let ω1 , ω2 be complex numbers that are linearly independent over R. Then L = Zω1 + Zω2 = {n1 ω1 + n2 ω2 | n1 , n2 ∈ Z} is called a lattice. The main reason we are interested in lattices is that C/L is a torus, and we want to show that a torus gives us an elliptic curve. The set F = {a1 ω1 + a2 ω2 | 0 ≤ ai < 1, i = 1, 2} (see Figure 9.1) is called a fundamental parallelogram for L. A different choice of basis ω1 , ω2 for L will of course give a different fundamental parallelogram. Since it will occur several times, we denote ω3 = ω1 + ω2 . A function on C/L can be regarded as a function f on C such that f (z + ω) = f (z) for all z ∈ C and all ω ∈ L. We are only interested in meromorphic

257

258

CHAPTER 9 ELLIPTIC CURVES OVER C

Ω3

Ω1

Ω2

0 Figure 9.1

The Fundamental Parallelogram functions, so we define a doubly periodic function to be a meromorphic function f :C→C∪∞ such that f (z + ω) = f (z) for all z ∈ C and all ω ∈ L. Equivalently, f (z + ωi ) = f (z),

i = 1, 2.

The numbers ω ∈ L are called the periods of f . If f is a (not identically 0) meromorphic function and w ∈ C, then we can write f (z) = ar (z − w)r + ar+1 (z − w)r+1 + · · · , with ar = 0. The integer r can be either positive, negative, or zero. Define the order and the residue of f at w to be r = ordw f a-1 = Resw f. Therefore, ordw f is the order of vanishing of f at w, or negative the order of a pole. The order is 0 if and only if the function is finite and nonvanishing at w. It is not hard to see that if f is doubly periodic, then ordw+ω f = ordw f and Resw+ω f = Resw f for all ω ∈ L. A divisor D is a formal sum of points: D = n1 [w1 ] + n2 [w2 ] + · · · + nk [wk ], where ni ∈ Z and wi ∈ F . In other words, we have a symbol [w] for each w ∈ F , and the divisors are linear combinations with integer coefficients of these symbols. The degree of a divisor is
deg(D) = ni .

SECTION 9.1 DOUBLY PERIODIC FUNCTIONS

259

Define the divisor of a function f to be
div(f ) = (ordw f )[w]. w∈F

THEOREM 9.1 Let f be a doubly periodic function for the lattice L and let F be a fundamental parallelogram for L. 1. If f has no poles, then f is constant.  2. w∈F Resw f = 0. 3. If f is not identically 0, deg(div(f )) =




ordw f = 0.

w∈F

4. If f is not identically 0,




w · ordw f ∈ L.

w∈F

5. If f is not constant, then f : C → C ∪ ∞ is surjective. If n is the sum of the orders of the poles of f in F and z0 ∈ C, then f (z) = z0 has n solutions (counting multiplicities). 6. If f has only one pole in F , then this pole cannot be a simple pole. All of the above sums over w ∈ F have only finitely many nonzero terms. PROOF Because f is a meromorphic function, it can have only finitely many zeros and poles in any compact set, for example, the closure of F . Therefore, the above sums have only finitely many nonzero terms. If f has no poles, then it is bounded in the closure of F , which is a compact set. Therefore, f is bounded in all of C. Liouville’s theorem says that a bounded entire function is constant. This proves (1). Recall Cauchy’s theorem, which says that 
f (z)dz = 2πi Resw f, ∂F

w∈F

where ∂F is the boundary of F and the line integral is taken in the counterclockwise direction. Write (assuming ω1 , ω2 are oriented as in Figure 9.1; otherwise, switch them in the following)  f (z)dz = ∂F ω2





0



ω2 +ω1

f (z)dz +

f (z)dz + ω2



ω1

ω1 +ω2

0

f (z)dz +

f (z)dz. ω1

260

CHAPTER 9 ELLIPTIC CURVES OVER C

Since f (z + ω1 ) = f (z), we have  ω1  f (z)dz =

ω2

ω1 +ω2

Similarly,

0



ω1 +ω2

ω2

 f (z)dz = − 

f (z)dz = −

ω2 0

f (z)dz.

0

ω1

f (z)dz.

Therefore, the sum of the four integrals is 0. There is a small technicality that we have passed over. The function f is not allowed to have any poles on the path of integration. If it does, adjust the path with a small detour around such points as in Figure 9.2. The integrals cancel, just as in the above. This proves (2).

Ω3



Ω1

Ω2



0 Figure 9.2

Suppose r = ordw f . Then f (z) = (z − w)r g(z), where g(w) is finite and nonzero. Then r g  (z) f  (z) = + , f (z) z−w g(z) so   f Resw = r. f If f is doubly periodic, then f  is doubly periodic. Therefore, (2) applied to f  /f yields  

f 2πi ordw f = 2πi Resw = 0. f w∈F

w∈F

This proves (3). For (4), we have 2πi


w∈F

w · ordw f = 2πi


w∈F

 Resw z

f f



 = ∂F

z

f dz. f

SECTION 9.1 DOUBLY PERIODIC FUNCTIONS

261

However, in this case, the function zf  /f is not doubly periodic. The integral may be written as a sum of four integrals, as in the proof of (2). The double periodicity of f and f  yield  0  ω1 f  (z) f  (z) dz = dz z (z + ω1 ) f (z) ω2 ω1 +ω2 f (z)  ω2   ω2  f (z) f (z) =− dz − ω1 dz. z f (z) f (z) 0 0 But

1 2πi



ω2

0

f  (z) dz f (z)

is the winding number around 0 of the path 0 ≤ t ≤ 1.

z = f (tω2 ),

Since f (0) = f (ω2 ), this is a closed path. The winding number is an integer, so  ω1  ω2  f (z) f  (z) dz + dz z z f (z) 0 ω1 +ω2 f (z)  ω2  f (z) = −ω1 dz ∈ 2πiZω1 . f (z) 0 Similarly,



ω1 +ω2

ω2

z

f  (z) dz + f (z)

Therefore, 2πi






0

ω1

z

f  (z) dz ∈ 2πiZω2 . f (z)

w · ordw f ∈ 2πiL.

w∈F

This proves (4). To prove (5), let z0 ∈ C. Then h(z) = f (z) − z0 is a doubly periodic function whose poles are the same as the poles of f . By (3), the number of zeros of h(z) in F (counting multiplicities) equals the number of poles (counting multiplicities) of h, which is n. This proves (5). For (6), suppose f has only a simple pole, say at w, and no others. Then Resw f = 0 (otherwise, the pole doesn’t exist). The sum in (2) has only one term, and it is nonzero. This is impossible, so we conclude that either the pole cannot be simple or there must be other poles. REMARK 9.2 As we saw in the proof of (5), part (3) says that the number of zeros of a doubly periodic function equals the number of poles. This is a general fact for compact Riemann surfaces (such as a torus) and for projective algebraic curves (see [42, Ch. 8, Prop. 1] or [49, II, Cor. 6.10]).

262

CHAPTER 9 ELLIPTIC CURVES OVER C

If (6) were false for a function f , then f would give a bijective (by (5)) map from the torus to the Riemann sphere (= C ∪ ∞). This is impossible for many topological reasons (the torus has a hole but the sphere doesn’t). So far, we do not have any examples of nonconstant doubly periodic functions. This situation is remedied by the Weierstrass ℘-function. THEOREM 9.3 Given a lattice L, define the Weierstrass ℘-function by 
 1 1 1 ℘(z) = ℘(z; L) = 2 + − . z (z − ω)2 ω2 ω∈L

(9.1)

ω=0

Then 1. The sum defining ℘(z) converges absolutely and uniformly on compact sets not containing elements of L. 2. ℘(z) is meromorphic in C and has a double pole at each ω ∈ L. 3. ℘(−z) = ℘(z) for all z ∈ C. 4. ℘(z + ω) = ℘(z) for all ω ∈ L. 5. The set of doubly periodic functions for L is C(℘, ℘ ). In other words, every doubly periodic function is a rational function of ℘ and its derivative ℘ . PROOF Let C be a compact set, and let M = Max{|z| | z ∈ C}. If z ∈ C and |ω| ≥ 2M , then |z − ω| ≥ |ω|/2 and |2ω − z| ≤ 5|ω|/2, so      1 1   z(2ω − z)    (z − ω)2 − ω 2  =  (z − ω)2 ω 2  (9.2) M (5|ω|/2) 10M ≤ = . |ω|4 /4 |ω|3 The preceding calculation explains why the terms 1/ω 2 are included. Without them, the terms in the sum would be comparable to 1/ω 2 . Subtracting this 1/ω 2 makes the terms comparable to 1/ω 3 . This causes the sum to converge, as the following lemma shows. LEMMA 9.4 If k > 2 then


1 |ω|k ω∈L ω=0

SECTION 9.1 DOUBLY PERIODIC FUNCTIONS

263

converges. PROOF Let F be a fundamental parallelogram for L and let D be the length of the longer diagonal of F . Then |z| ≤ D for all z ∈ F . Let ω = m1 ω1 + m2 ω2 ∈ L with |ω| ≥ 2D. If x1 , x2 are real numbers with mi ≤ xi < mi + 1, then ω and x1 ω1 + x2 ω2 differ by an element of F , so 1 |m1 ω1 + m2 ω2 | ≥ |x1 ω1 + x2 ω2 | − D ≥ |x1 ω1 + x2 ω2 | − |m1 ω1 + m2 ω2 |, 2 since |m1 ω1 + m2 ω2 | ≥ 2D. Therefore, |m1 ω1 + m2 ω2 | ≥

2 |x1 ω1 + x2 ω2 |. 3

Similarly, |x1 ω1 + x2 ω2 | ≥ D. Comparing the sum to an integral yields 
1 ≤ (1/area of F ) |ω|k |ω|≥2D

|x1 ω1 +x2 ω2 |≥D

(3/2)k dx1 dx2 . |x1 ω1 + x2 ω2 |k

The change of variables defined by u + iv = x1 ω1 + x2 ω2 changes the integral to   2π  ∞ 1 1 C du dv = C r dr dθ < ∞, k 2 2 k/2 (u + v ) θ=0 r=D r |u+iv|≥D

where C = (3/2)k /(area of F ). Therefore, the sum for |ω| ≥ 2D converges. Since there are only finitely many ω with |ω| < 2D, we have shown that the sum converges. Lemma 9.4 and Equation 9.2 imply that the sum of the terms in Equation 9.1 with |ω| ≥ 2M converges absolutely and uniformly for z ∈ C. Since only finitely many terms have been omitted, we obtain (1). Since a uniform limit of analytic functions is analytic, ℘(z) is analytic for z ∈ L. If z ∈ L, then the sum of the terms for ω = z is analytic near z, so the term 1/(z − ω)2 causes ℘ to have a double pole at z. This proves (2). To prove (3), note that ω ∈ L if and only if −ω ∈ L. Therefore, in the sum for ℘(−z), we can take the sum over −ω ∈ L. The terms of this sum are of the form 1 1 1 1 − = − 2. 2 2 2 (−z + ω) (−ω) (z − ω) ω Therefore the sum for ℘(−z) equals the sum for ℘(z). The proof of (4) would be easy if we could ignore the terms 1/ω 2 , since changing z to z + ω would simply shift the summands. However, these terms

264

CHAPTER 9 ELLIPTIC CURVES OVER C

are needed for convergence. With some care, one could justify rearranging the sum, but it is easier to do the following. Differentiating ℘(z) term by term yields
1 ℘ (z) = −2 . (z − ω)3 ω∈L

Note that ω = 0 is included in the sum. This sum converges absolutely (by comparison with the case k = 3 in Lemma 9.4) when z ∈ L, and changing z to z + ω shifts the terms in the sum. Therefore, ℘ (z + ω) = ℘ (z). This implies that there is a constant cω such that ℘(z + ω) − ℘(z) = cω , for all z ∈ L. Setting z = ω/2 yields cω = ℘(−ω/2) − ℘(ω/2) = 0, by (3). Therefore ℘(z + ω) = ℘(z). This proves (4). Let f (z) be any doubly periodic function. Then f (z) =

f (z) + f (−z) f (z) − f (−z) + 2 2

expresses f (z) as the sum of an even function and an odd function. Therefore, it suffices to prove (5) for even functions and for odd functions. Since ℘(−z) = ℘(z), it follows that ℘ (−z) = −℘ (z), so ℘ (z) is an odd function. If f (z) is odd, then f (z)/℘ (z) is even. Therefore, it suffices to show that an even doubly periodic function is a rational function of ℘(z). Let f (z) be an even doubly periodic function. We may assume that f is not identically zero; otherwise, we’re done. By changing f , if necessary, to af + b cf + d for suitable a, b, c, d with ad − bc = 0, we may arrange that f (z) does not have a zero or a pole whenever 2z ∈ L (this means that we want f (0) = 0, ∞ and f (ωi /2) = 0 for i = 1, 2, 3). If we prove (af + b)/(cf + d) is a rational function of ℘, then we can solve for f and obtain the result for f . Since f (z) is even and doubly periodic, f (ω3 − z) = f (z), so ordw f = ordω3 −w f. We can therefore put the finitely many elements in F where f (z) = 0 or where f (z) has a pole into pairs (w, ω3 − w). Since we have arranged that w = ω3 /2, the two elements of each pair are distinct. There is a slight

SECTION 9.1 DOUBLY PERIODIC FUNCTIONS

265

problem if w lies on a side of F . Suppose w = xω1 with 0 < x < 1. Then ω3 − w = (1 − x)ω1 + ω2 ∈ F . In this case, we translate by ω2 to get (1 − x)ω1 ∈ F . Since w = ω1 /2, we have x = 1/2, hence xω1 = (1 − x)ω1 , and again the two elements of the pair are distinct. The case w = xω2 is handled similarly. For a fixed w, the function ℘(z) − ℘(w) has zeros at z = w and z = ω3 − w. By Theorem 9.1(5), these are the only two zeros in F and they are simple zeros. Therefore, the function  ord f (℘(z) − ℘(w)) w h(z) = (w, ω3 −w)

(the product is over pairs (w, ω3 − w)) has a zero of order ordw f at w and at ω3 − w when ord w f > 0 and has a pole of the same order as f when ordw f = 0 by Theorem 9.1, the poles at z ∈ L of the ordw f < 0. Since factors in the product cancel. Therefore, f (z)/h(z) has no zeros or poles in F . By Theorem 9.1(1), f (z)/h(z) is constant. Since h(z) is a rational function of ℘(z), so is f (z). This completes the proof of Theorem 9.3. In order to construct functions with prescribed properties, it is convenient to introduce the Weierstrass σ-function. It is not doubly periodic, but it satisfies a simple transformation law for translation by elements of L. PROPOSITION 9.5 Let  z (z/w)+ 1 (z/w)2 2 1− e . σ(z) = σ(z; L) = z ω ω∈L ω=0

Then 1. σ(z) is analytic for all z ∈ C 2. σ(z) has simple zeros at each ω ∈ L and has no other zeros 3.

d2 dz 2

log σ(z) = −℘(z)

4. given ω ∈ L, there exist a = aω and b = bω such that σ(z + ω) = eaz+b σ(z) for all z ∈ C. PROOF The exponential factor is included to make the product converge. A short calculation yields the power series expansion 1

2

(1 − u)eu+ 2 u = 1 + c3 u3 + c4 u4 + · · · .

266

CHAPTER 9 ELLIPTIC CURVES OVER C

Therefore, there is a constant C such that 1

2

|(1 − u)eu+ 2 u − 1| ≤ C|u|3 for u near 0. In particular, this inequality holds when u = z/ω for |ω| sufficiently large and

z in a compact set. Recall that if a sum |an | converges, Moreover, if (1+a ) =  0 for all n, then then the product (1+an ) converges. n  the product is nonzero. Since |z/ω|3 converges by Lemma 9.4 with k = 3, the product defining σ(z) converges uniformly on compact sets. Therefore, σ(z) is analytic. This proves (1). Part (2) follows since the product of the factors, omitting one ω, is nonzero at z = ω. To prove (3), differentiate the logarithm of the product for σ(z) to obtain   1 1
1 z d log σ(z) = + + + 2 . dz z z−ω ω ω ω∈L ω=0

Taking one more derivative yields the sum for −℘(z). This proves (3). Let ω ∈ L. Since σ(z + ω) d2 = 0, log 2 dz σ(z) there are constants a = aω and b = bω such that log

σ(z + ω) = az + b. σ(z)

Exponentiating yields (4). We can restrict z in the above to lie in a small region in order to avoid potential complications with branches of the logarithm. Then (4) holds in this small region, and therefore for all z ∈ C, by uniqueness of analytic continuation. We can now state exactly when a divisor is a divisor of a function. The following is a special case of what is known as the Abel-Jacobi theorem, which states when a divisor on a Riemann surface, or on an algebraic curve, is the divisor of a function. THEOREM  9.6 divisor. Then D is the divisor of a function if and Let D = ni [wi ] be a only if deg(D) = 0 and ni wi ∈ L. PROOF Parts (3) and (4) of Theorem 9.1 are precisely  the statements that if D is the divisor of a function then deg(D) = 0 and ni wi ∈ L.  Conversely, suppose deg(D) = 0 and ni wi =  ∈ L. Let f (z) =

σ(z)  σ(z − wi )ni . σ(z − ) i

SECTION 9.2

TORI ARE ELLIPTIC CURVES

267

If ω ∈ L, then  f (z + ω) = eaω z+bω −aω (z−)−bω e ni (aω (z−wi )+bω ) = 1, f (z)

  since ni = 0 and ni wi = . Therefore, f (z) is doubly periodic. The divisor of f is easily seen to be D, so D is the divisor of a function. Doubly periodic functions can be regarded as functions on the torus C/L, and divisors can be regarded as divisors for C/L. If we let C(L)× denote the doubly periodic functions that do not vanish identically and let Div0 (C/L) denote the divisors of degree 0, then much of the preceding discussion can be expressed by the exactness of the sequence div

sum

0 −→ C× −→ C(L)× −→ Div0 (C/L) −→ C/L −→ 0.

(9.3)

The “sum” function adds up the complex numbers representing the points in the divisor mod L. The exactness at C(L)× expresses the fact that a function with no zeros and no poles, hence whose divisor is 0, is a constant. The exactness at Div0 (C/L) is Theorem 9.6. The surjectivity of the sum function is easy. If w ∈ C, then sum([w] − [0]) = w mod L.

9.2 Tori are Elliptic Curves The goal of this section is to show that a complex torus C/L is naturally isomorphic to the complex points on an elliptic curve. Let L be a lattice, as in the previous section. For integers k ≥ 3, define the Eisenstein series
Gk = Gk (L) = ω −k . (9.4) ω∈L ω=0

By Lemma 9.4, the sum converges. When k is odd, the terms for ω and −ω cancel, so Gk = 0. PROPOSITION 9.7 For 0 < |z| < Min 0=ω∈L (|ω|), ∞


1 (2j + 1)G2j+2 z 2j . ℘(z) = 2 + z j=1

268

CHAPTER 9 ELLIPTIC CURVES OVER C

PROOF

When |z| < |ω|,  1 − 1 (1 − (z/ω))2 ∞
zn −2 =ω (n + 1) n . ω n=1

1 1 − 2 = ω −2 (z − ω)2 ω

Therefore,



∞

℘(z) =



zn 1 + (n + 1) . z2 ω n+2 n=1 ω=0

Summing over ω first, then over n, yields the result. THEOREM 9.8 Let ℘(z) be the Weierstrass ℘-function for a lattice L. Then ℘ (z)2 = 4℘(z)3 − 60G4 ℘(z) − 140G6 . PROOF

From Proposition 9.7, ℘(z) = z −2 + 3G4 z 2 + 5G6 z 4 + · · · ℘ (z) = −2z −3 + 6G4 z + 20G6 z 3 + · · · .

Cubing and squaring these two relations yields ℘(z)3 = z −6 + 9G4 z −2 + 15G6 + · · · ℘ (z)2 = 4z −6 − 24G4 z −2 − 80G6 + · · · . Therefore, f (z) = ℘ (z)2 − 4℘(z)3 + 60G4 ℘(z) + 140G6 = c1 z + c2 z 2 + · · · is a power series with no constant term and with no negative powers of z. But the only possible poles of f (z) are at the poles of ℘(z) and ℘ (z), namely, the elements of L. Since f (z) is doubly periodic and, as we have just shown, has no pole at 0, f (z) has no poles. By Theorem 9.1, f (z) is constant. Since the power series for f (z) has no constant term, f (0) = 0. Therefore, f (z) is identically 0. It is customary to set g2 = 60G4 g3 = 140G6 .

SECTION 9.2

TORI ARE ELLIPTIC CURVES

269

The theorem then says that ℘ (z)2 = 4℘(z)3 − g2 ℘(z) − g3 .

(9.5)

Therefore, the points (℘(z), ℘ (z)) lie on the curve y 2 = 4x3 − g2 x − g3 . It is traditional to leave the 4 as the coefficient of x3 , rather than performing a change of variables to make the coefficient of x3 equal to 1. The discriminant of the cubic polynomial is 16(g23 − 27g32 ). PROPOSITION 9.9 ∆ = g23 − 27g32 = 0. PROOF Since ℘ (z) is doubly periodic, ℘ (ωi /2) = ℘ (−ωi /2). Since ℘ (−z) = −℘ (z), it follows that ℘ (ωi /2) = 0,

i = 1, 2, 3.

(9.6)

Therefore, each ℘(ωi /2) is a root of 4x3 − g2 x − g3 , by (9.5). If we can show that these roots are distinct, then the cubic polynomial has three distinct roots, which means that its discriminant is nonzero. Let hi (z) = ℘(z) − ℘(ωi /2). Then hi (ωi /2) = 0 = hi (ωi /2), so hi vanishes to order at least 2 at ωi /2. Since hi (z) has only one pole in F , namely the double pole at z = 0, Theorem 9.1(5) implies that ωi /2 is the only zero of hi (z). In particular, hi (ωj /2) = 0,

when j = i.

Therefore, the values ℘(ωi /2) are distinct. The proposition implies that E : y 2 = 4x3 − g2 x − g3 is the equation of an elliptic curve, so we have a map from z ∈ C to the points with complex coordinates (℘(z), ℘ (z)) on an elliptic curve. Since ℘(z) and ℘ (z) depend only on z mod L (that is, if we change z by an element of L, the values of the functions do not change), we have a function from C/L to E(C). The group C/L is a group, with the group law being addition of complex numbers mod L. In concrete terms, we can regard elements of C/L as elements of F . When we add two points, we move the result back into F by subtracting a suitable element of L. For example, (.7ω1 + .8ω2 ) + (.4ω1 + .9ω2 ) yields .1ω1 + .7ω2 .

270

CHAPTER 9 ELLIPTIC CURVES OVER C

THEOREM 9.10 Let L be a lattice and let E be the elliptic curve y 2 = 4x3 − g2 x − g3 . The map Φ : C/L −→ E(C) z −→ (℘(z), ℘ (z)) 0 −→ ∞ is an isomorphism of groups. PROOF The surjectivity is easy. Let (x, y) ∈ E(C). Since the function ℘(z) − x has a double pole, Theorem 9.1 implies that it has zeros, so there exists z ∈ C such that ℘(z) = x. Theorem 9.8 implies that ℘ (z)2 = y 2 , so ℘ (z) = ±y. If ℘ (z) = y, we’re done. If ℘ (z) = −y, then ℘ (−z) = y and ℘(−z) = x, so −z → (x, y). Suppose ℘(z1 ) = ℘(z2 ) and ℘ (z1 ) = ℘ (z2 ), and z1 ≡ z2 mod L. The only poles of ℘(z) are for z ∈ L. Therefore, if z1 is a pole of ℘, then z1 ∈ L and z2 ∈ L, so z1 ≡ z2 mod L. Now assume z1 is not a pole of ℘, so z1 is not in L. The function h(z) = ℘(z) − ℘(z1 ) has a double pole at z = 0 and no other poles in F . By Theorem 9.1, it has exactly two zeros. Suppose z1 = ωi /2 for some i. From Equation 9.6, we know that ℘ (ωi /2) = 0, so z1 is a double root of h(z), and hence is the only root. Therefore z2 = z1 . Finally, suppose z1 is not of the form ωi /2. Since h(−z1 ) = h(z1 ) = 0, and since z1 ≡ −z1 mod L, the two zeros of h are z1 and −z1 mod L. Therefore, z2 ≡ −z1 mod L. But y = ℘ (z2 ) = ℘ (−z1 ) = −℘ (z1 ) = −y. This means that ℘ (z1 ) = y = 0. But ℘ (z) has only a triple pole, so has only three zeros in F . From Equation 9.6, we know that these zeros occur at ωi /2. This is a contradiction, since z = ωi /2. Therefore, z1 ≡ z2 mod L, so Φ is injective. Finally, we need to show that Φ is a group homomorphism. Let z1 , z2 ∈ C and let Φ(zi ) = Pi = (xi , yi ). Assume that both P1 , P2 are finite and that the line through P1 , P2 intersects E in three distinct finite points (this means that P1 = ±P2 , that 2P1 +P2 = ∞, and that P1 + 2P2 = ∞). For a fixed z1 , this excludes finitely many values of z2 . There are two reasons for these exclusions. The first is that the addition law on E has a different formula when the points are equal. The second is

SECTION 9.2

TORI ARE ELLIPTIC CURVES

271

that we do not need to worry about the connection between double roots in the algebraic calculations and double roots of the corresponding analytic functions. Let y = ax + b be the line through P1 , P2 . Let P3 = (x3 , y3 ) be the third point of intersection of this line with E and let (x3 , y3 ) = P3 = Φ(z3 ) with z3 ∈ C. The formulas for the group law on E show that 1 x3 = 4 =

1 4

 

y2 − y1 x2 − x1

2 − x1 − x2

℘ (z2 ) − ℘ (z1 ) ℘(z2 ) − ℘(z1 )

2 − ℘(z1 ) − ℘(z2 ).

The function (z) = ℘ (z) − a℘(z) − b has zeros at z = z1 , z2 , z3 . Since (z) has a triple pole at 0, and no other poles, it has three zeros in F . Therefore, div() = [z1 ] + [z2 ] + [z3 ] − 3[0]. By Theorem 9.1(4), z1 + z2 + z3 ∈ L. Therefore, ℘(z1 + z2 ) = ℘(−z3 ) = ℘(z3 ) = x3 . We obtain ℘(z1 + z2 ) =

1 4



℘ (z2 ) − ℘ (z1 ) ℘(z2 ) − ℘(z1 )

2 − ℘(z1 ) − ℘(z2 ).

(9.7)

By continuity, this formula, which we proved with certain values of the zi excluded, now holds for all zi for which it is defined. We now need to consider the y-coordinate. This means that we need to compute ℘ (z1 + z2 ). We sketch the method (the interested and careful reader may check the details). Differentiating (9.7) with respect to z2 yields an expression for ℘ (z1 + z2 ) in terms of x1 , x2 , y1 , y2 , and ℘ (z2 ). We need to express ℘ in terms of ℘ and ℘ . Differentiating (9.5) yields 2℘ ℘ = (12℘2 − g2 )℘ . Dividing by ℘ (z) (this is all right if ℘ (z) = 0; the other cases are filled in by continuity) yields 2℘ (z2 ) = 12℘(z2 )2 − g2 .

(9.8)

Substituting this into the expression obtained for ℘ (z1 + z2 ) yields an expression for ℘ (z1 + z2 ) in terms of ℘(z1 ), ℘ (z1 ), ℘(z2 ), ℘ (z2 ). Some algebraic

272

CHAPTER 9 ELLIPTIC CURVES OVER C

manipulation shows that this equals the value for −y3 obtained from the addition law for (x1 , y1 ) + (x2 , y2 ) = (x3 , −y3 ). Therefore, (℘(z1 ), ℘ (z1 )) + (℘(z2 ), ℘ (z2 )) = (℘(z1 + z2 ), ℘ (z1 + z2 )). This is exactly the statement that Φ(z1 ) + Φ(z2 ) = Φ(z1 + z2 ).

(9.9)

It remains to check (9.9) in the cases where (9.7) is not defined. The cases where ℘(zi ) = ∞ and where z1 ≡ −z2 mod L are easily checked. The opital’s rule, and remaining case is when z1 = z2 . Let z2 → z1 in (9.7), use l’Hˆ use (9.8) to obtain  2 1 ℘ (z1 ) − 2℘(z1 ) ℘(2z1 ) = 4 ℘ (z1 )  2 1 6℘(z1 )2 − 12 g2 = − 2℘(z1 ) (9.10) 4 ℘ (z1 ) 2  1 6x21 − 12 g2 = − 2x1 . 4 y1 This is the formula for the coordinate x3 that is obtained from the addition law on E. Differentiating with respect to z1 yields the correct formula for the y-coordinate, as above. Therefore, Φ(z1 ) + Φ(z1 ) = Φ(2z1 ). This completes the proof of the theorem. The theorem shows that the natural group law on the torus C/L matches the group law on the elliptic curve, which perhaps looks a little unnatural. Also, the classical formulas (9.7) and (9.10) for the Weierstrass ℘-function, which look rather complicated, are now seen to be expressing the group law for E.

9.3 Elliptic Curves over C In the preceding section, we showed that a torus yields an elliptic curve. In the present section, we’ll show the converse, namely, that every elliptic curve over C comes from a torus. Let L = Zω1 + Zω2 be a lattice and let τ = ω1 /ω2 .

SECTION 9.3 ELLIPTIC CURVES OVER C

273

Since ω1 and ω2 are linearly independent over R, the number τ cannot be real. By switching ω1 and ω2 if necessary, we may assume that the imaginary part of τ is positive: (τ ) > 0. In other words, we assume τ lies in the upper half plane H = {x + iy ∈ C | y > 0}. The lattice Lτ = Zτ + Z is homothetic to L. This means that there exists a nonzero complex number λ such that L = λLτ . In our case, λ = ω2 . For integers k ≥ 3, define


Gk (τ ) = Gk (Lτ ) =

(m,n)=(0,0)

1 . (mτ + n)k

(9.11)

We have Gk (τ ) = ω2k Gk (L), where Gk (L) is the Eisenstein series defined for L = Zω1 + Zω2 by (9.4). Let q = e2πiτ . It will be useful to express certain functions as sums of powers of q. If τ = x + iy with y > 0, then |q| = e−2πy < 1. This implies that the expressions we obtain will converge. PROPOSITION 9.11 ∞ Let ζ(x) = n=1 n−x and let σ (n) =




d

d|n

be the sum of the th powers of the positive divisors of n. If k ≥ 2 is an integer, then G2k (τ ) = 2ζ(2k) + 2

∞ (2πi)2k
σ2k−1 (n)q n (2k − 1)! n=1 ∞

(2πi)2k
j 2k−1 q j = 2ζ(2k) + 2 . (2k − 1)! j=1 1 − q j

274

CHAPTER 9 ELLIPTIC CURVES OVER C

PROOF

We have π

cos πτ eπiτ + e−πiτ = πi πiτ sin πτ e − e−πiτ 2πi q+1 = πi + = πi q−1 q−1 ∞
qj . = πi − 2πi

(9.12)

j=0

Recall the product expansion sin πτ = πτ

∞  

1−

n=1

τ  τ 1+ n n

(see [4]). Taking the logarithmic derivative yields  ∞  1 cos πτ 1
1 π = + + . sin πτ τ n=1 τ − n τ + n

(9.13)

Differentiating (9.12) and (9.13) 2k − 1 times with respect to τ yields −

∞


(2πi)2k j 2k−1 q j = (−1)2k−1 (2k − 1)!

j=1

∞


1 . (τ + n)2k n=−∞

Consider (9.11) with 2k in place of k. Since 2k is even, the terms for (m, n) and (−m, −n) are equal, so we only need to sum for m = 0, n > 0 and for m > 0, n ∈ Z, then double the answer. We obtain G2k (τ ) = 2

∞ ∞ ∞


1 1 + 2 2k n (mτ + n)2k n=1 m=1 n=−∞

= 2ζ(2k) + 2

∞ ∞

(2πi)2k j 2k−1 m=1 j=1

(2k − 1)!

q mj

∞ ∞ (2πi)2k

2k−1 mj = 2ζ(2k) + 2 j q . (2k − 1)! m=1 j=1

Let n = mj in the last expression. Then, for a given n, the sum over j can be regarded as the sum over the positive divisors of n. This yields  the first expression in the statement of the proposition. The expansion m≥1 q mj = q j /(1 − q j ) yields the second expression.

Recall that we defined g2 = g2 (L) = 60G4 (L) and g3 = g3 (L) = 140G6 (L) for arbitrary lattices L. Restricting to Lτ , we define g2 (τ ) = g2 (Lτ ),

g3 (τ ) = g3 (Lτ ).

275

SECTION 9.3 ELLIPTIC CURVES OVER C

Using the facts that ζ(4) =

π4 90

and

ζ(6) =

π6 , 945

we obtain 4

4

g2 (τ ) =

4π 4π (1 + 240q + · · · ) = 3 3

g3 (τ ) =

8π 6 8π 6 (1 − 504q + · · · ) = 27 27

⎛

⎞ ∞ 3 j
j q ⎠ ⎝1 + 240 1 − qj j=1 ⎛ ⎞ ∞ 5 j
j q ⎠ ⎝1 − 504 . 1 − qj j=1

Since ∆ = g23 − 27g32 , a straightforward calculation shows that ∆(τ ) = (2π)12 (q + · · · ). Define j(τ ) = 1728 Then j(τ ) = yields

1 q

g23 . ∆

+ · · · . Including a few more terms in the above calculations j(τ ) =

1 + 744 + 196884q + 21493760q 2 + · · · . q

For computational purposes, this series converges slowly since the coefficients are large. It is usually better to use the following. PROPOSITION 9.12  ∞ j 3 q j 3 1 + 240 j=1 1−q j j(τ ) = 1728   3 ∞ j 3 q j ∞ 1 + 240 j=1 1−q − 1 − 504 j=1 j 

j 5 qj 1−q j

2 .

PROOF Substitute the above expressions for g2 , g3 into the definition of the j-function. The powers of π and other constants cancel to yield the present expression. It can be shown (see [70, p. 249]) that ∆ = (2π)12 q

∞ 

(1 − q k )24 .

k=1

276

CHAPTER 9 ELLIPTIC CURVES OVER C

This yields the expression



j=

j 3 qj 1 + 240 j=1 1 − qj

∞ q k=1 (1 − q k )24 ∞

3 ,

which also works very well for computing j. More generally, if L is a lattice, define j(L) = 1728

g2 (L)3 . g2 (L)3 − 27g3 (L)2

If λ ∈ C× , then the definitions of G4 and G6 easily imply that g2 (λL) = λ−4 g2 (L)

and

g3 (λL) = λ−6 g3 (L).

Therefore j(L) = j(λL). Letting L = Zω1 + Zω2 and λ = ω2−1 , we obtain j(Zω1 + Zω2 ) = j(τ ), where τ = ω1 /ω2 . Recall that



SL2 (Z) =

ab cd

    a, b, c, d ∈ Z, ad − bc = 1 

acts on the upper half plane H by   aτ + b ab τ= cd cτ + d for all τ ∈ H. PROPOSITION  9.13  ab Let τ ∈ H and let ∈ SL2 (Z). Then cd   aτ + b j = j(τ ). cτ + d PROOF Gk



We first compute what happens with Gk : 
aτ + b 1 = aτ +b cτ + d (m cτ +d + n)k (m,n)=(0,0) = (cτ + d)k




(m,n)=(0,0)

= (cτ + d)k




(m,n)=(0,0)

1 (m(aτ + b) + n(cτ + d))k 1 . ((ma + nc)τ + (mb + nd))k

(9.14)

SECTION 9.3 ELLIPTIC CURVES OVER C

 Since

ab cd



277

has determinant 1, we have 

ab cd

Let (m , n ) = (m, n)

−1

 =



ab cd

d −b −c a

 .

 = (ma + nc, mb + nd).

Then 





(m, n) = (m , n )

d −b −c a

 ,

so there is a one-to-one correspondence between pairs of integers (m, n) and pairs of integers (m , n ). Therefore,  
aτ + b 1 Gk = (cτ + d)k  τ + n )k cτ + d (m   (m ,n )=(0,0)

k

= (cτ + d) Gk (τ ). Since g2 and g3 are multiples of G4 and G6 , we have     aτ + b aτ + b g2 = (cτ + d)4 g2 (τ ), g3 = (cτ + d)6 g3 (τ ). cτ + d cτ + d Therefore, when we substitute these expressions into the definition of j, all the factors (cτ + d) cancel. Let F be the subset of z ∈ H such that |z| ≥ 1,

−

1 1 ≤ (z) < , 2 2

z = eiθ for

π π 0) or blows up (n < 0) as τ → i∞. PROPOSITION 9.16 Let f be a function meromorphic in H such that f is not identically zero and such that     aτ + b ab f = f (τ ) for all ∈ SL2 (Z). cd cτ + d Then

1 1 ordi∞ (f ) + ordρ (f ) + ordi (f ) + 3 2




ordz (f ) = 0.

z=i,ρ,i∞

REMARK 9.17 The function f can be regarded as a function on the surface obtained as follows. Identify the left and right sides on F to get a tube, then fold the part with |z| = 1 at i. Then pinch the open end at i∞ to a point. This gives a surface that is topologically a sphere. The proposition expresses the fact that the number of poles of f equals the number of zeros on such a surface, just as occurred for doubly periodic functions in Theorem 9.1. The point i is special since a small neighborhood around i contains only half of a disc inside F. Similarly, a small neighborhood around ρ includes only 1/3 of a disc from F (namely, 1/6 near ρ and 1/6 near 1 + ρ, which is folded over to meet ρ). This explains the factors 1/2 and 1/3 in the proposition. For a related phenomenon, see Exercise 9.3. PROOF Let C be the path shown in Figure 9.4. Essentially, C goes around the edge of F. However, it consists of a small circular arc past each of ρ, 1 +ρ, and i. If there is a pole or zero of f at a point on the path, we make a small detour around it and a corresponding detour at the corresponding point on the other side of F. The arcs near ρ, 1 + ρ, and i have radius , where  is chosen small enough that there are no zeros or poles of f inside the circles, except possibly at ρ, 1 + ρ, or i. Similarly, the top part of C is chosen to have

280

CHAPTER 9 ELLIPTIC CURVES OVER C






Figure 9.4

imaginary part N , where N is large enough that f (z) has no zeros or poles with imaginary part greater than N , except perhaps at i∞. This is possible since f (z) = q n (an + an+1 q + · · · ). Since the series an + an+1 q + · · · is assumed to converge for q small, it is finite and is approximately equal to an = 0 for sufficiently small q. As in the proof of Theorem 9.1, we have 
f  (z) 1 dz = ordz (f ). 2πi C f (z) z∈F z=i,ρ

 Since

11 01

 ∈ SL2 (Z) gives the map z → z + 1, we have f (z) = f (z + 1).

(9.16)

Therefore, the integrals over the left and right vertical parts of C are the same, except that they are in opposite directions, so they cancel each other. Now we’ll show that the integral over the part of the unit circle tothe left  of 0 −1 i cancels the part to the right. This is proved by using the fact that ∈ 1 0 SL2 (Z) gives the map z → −1/z, which interchanges the left and right arcs of the unit circle. In addition, differentiating the relation f (−1/z) = f (z) yields     −1 f  −1 f d = (z) dz. f z z f

SECTION 9.3 ELLIPTIC CURVES OVER C

281

Therefore, the integral over C from ρ to i equals the integral from −1/ρ = 1+ρ to −1/i = i, which is the negative of the integral from i to 1 + ρ. Therefore, the two parts cancel. All that remains are the parts of C near ρ, 1 + ρ, i, and i∞. Near i, we have f (z) = (z − i)k g(z) for some k, with g(i) = 0, ∞. Therefore, f  (z) k g  (z) = + . f (z) z−i g(z)

(9.17)

The integral over the small semicircle near i is 1 2πi

 θ

f  (i + eiθ ) iθ ie dθ, f (i + eiθ )

(9.18)

where θ ranges from slightly more than π to slightly less than 0. (Note that C is traveled clockwise. Because of the curvature of the unit circle, the limits are 0 and π only in the limit as  → 0.) Substitute (9.17) into (9.18) and let  → 0. Since g  /g is continuous at i, the integral of g  /g goes to 0. The integral of k/(z − i) yields 1 2πi



0

1 1 ki dθ = − k = − ordi (f ). 2 2 θ=π

Similarly, the contributions from the parts of C near ρ and 1 + ρ add up to −(1/3)ordρ (f ) (we are using the fact that f (ρ) = f (ρ + 1), by (9.16)). Finally, the integral along the top part of C is 1 2πi



− 12

t= 12

f  (t + iN ) dt. f (t + iN )

Since f (τ ) = q n (an + an+1 q + · · · ), we have 2πian+1 q + · · · f  (τ ) = 2πin + . f (τ ) an + · · · The second term goes to 0 as q → 0, hence as N → ∞. The limit of the integral as N → ∞ is therefore 1 2πi



− 12

t= 12

2πin dt = −n = −ordi∞ (f ).

Combining all of the above calculations yields the theorem. COROLLARY 9.18 If z ∈ C, then there is exactly one τ ∈ F such that j(τ ) = z.

282

CHAPTER 9 ELLIPTIC CURVES OVER C

PROOF First, we need to calculate j(ρ) and j(i). Recall that τ corresponds to the lattice Lτ = Zτ + Z. Since ρ2 = −1 − ρ, it follows easily that ρLρ ⊆ Lρ . Therefore, Lρ = ρ3 Lρ ⊆ ρ2 Lρ ⊆ ρLρ ⊆ Lρ , so ρLρ = Lρ . It follows from (9.14) that g2 (Lρ ) = g2 (ρLρ ) = ρ−4 g2 (Lρ ) = ρ−1 g2 (Lρ ). Since ρ = 1, we have g2 (ρ) = g2 (Lρ ) = 0. Therefore, j(ρ) = 1728

g2 (Lρ )3 =0 g2 (Lρ )3 − 27g3 (Lρ )2

(note that the denominator is nonzero, by Proposition 9.9). Similarly, τ = i corresponds to the lattice Li = Zi + Z, and iLi = Li . Therefore, g3 (Li ) = g3 (iLi ) = i−6 g3 (Li ) = −g3 (Li ), so g3 (i) = g3 (Li ) = 0. Therefore, j(i) = 1728

g2 (Li )3 = 1728. g2 (Li )3 − 27g3 (Li )2

We now look at the other values of τ . Consider the function h(τ ) = j(τ )−z. Then h has a pole of order 1 at i∞ and no other poles. By Proposition 9.16, we have
1 1 ordρ (h) + ordi (h) + ordz (h) = 1. 3 2 z=i,ρ,∞

If z = 0, 1728, then h has order 0 at ρ and at i. Therefore, h has a unique zero in F, so j(τ ) = z has a unique solution in F. If z = 1728, then (1/2)ordi (h) > 0. Since the order of h at a point is an integer, the order must be 0 when z = i, ρ; otherwise, the sum would be larger than 1. Also, there is no combination of m/2 + n/3 that equals 1 except when either m = 0 or n = 0. Therefore, j(τ ) − 1728 has a double zero at i and no other zero in F. Similarly, j(τ ) has a triple zero at ρ and no other zero in F. 

COROLLARY 9.19 Let τ1 , τ2 ∈ H. Then j(τ1 ) = j(τ2 ) if and only if there exists such that

ab cd

 ∈ SL2 (Z)

aτ1 + b = τ2 . cτ1 + d

PROOF Proposition 9.13 gives one direction of the statement. Assume conversely that j(τ1 ) = j(τ2 ). Let τ1 , τ2 ∈ F map to τ1 , τ2 via the action of

SECTION 9.3 ELLIPTIC CURVES OVER C

283

SL2 (Z), as in Proposition 9.14. Then, by Proposition 9.13, j(τ1 ) = j(τ1 ) = j(τ2 ) = j(τ2 ). By Corollary 9.18, τ1 = τ2 . Since an element of SL2 (Z) maps τ1 to τ1 , and an element of SL2 (Z) maps τ1 = τ2 to τ2 , the product of these two matrices (see Exercise 9.2) maps τ1 to τ2 , as desired. There is also a version of Corollary 9.19 for lattices (the j-invariant of a lattice is defined on page 276). COROLLARY 9.20 Let L1 , L2 ⊂ C be lattices. Then j(L1 ) = j(L2 ) if and only if there exists 0 = λ ∈ C such that λL1 = L2 . PROOF One direction was proved on page 276. Conversely, suppose j(L1 ) = j(L2 ). Write Li = (λi )(Zτi + Z) with τi ∈ F, as in Corollary 9.15. Then j(τ1 ) = j(L1 ) = j(L2 ) = j(τ2 ), so Corollary 9.18 implies that τ1 = τ2 . Let λ = λ2 /λ1 . Then λL1 = L2 . We can now show that every elliptic curve over C corresponds to a torus. THEOREM 9.21 Let y 2 = 4x3 − Ax − B define an elliptic curve E over C. Then there is a lattice L such that g2 (L) = A and g3 (L) = B. There is an isomorphism of groups C/L  E(C). PROOF

Let

A3 . A3 − 27B 2 By Corollary 9.18, there exists a lattice L = Zτ +Z such that j(τ ) = j(L) = j. Assume first that g2 (L) = 0. Then j = j(L) = 0, so A = 0. Choose λ ∈ C× such that g2 (λL) = λ−4 g2 (L) = A. j = 1728

The equality j = j(L) implies that g3 (λL)2 = B 2 , so g3 (λL) = ±B. If g3 (λL) = B, we’re done. If g3 (λL) = −B, then g3 (iλL) = i−6 g3 (λL) = B

and

g2 (iλL) = i4 g2 (λL) = A.

284

CHAPTER 9 ELLIPTIC CURVES OVER C

Therefore, either λL or iλL the desired lattice. If g2 (L) = 0, then j = j(L) = 0, so A = 0. Since A3 − 27B 2 = 0 by assumption and since g2 (L)3 − 27g3 (L)2 = 0 by Proposition 9.9, we have B = 0 and g3 (L) = 0. Choose µ ∈ C× such that g3 (µL) = µ−6 g3 (L) = B. Then g2 (µL) = µ−4 g2 (L) = 0 = A, so µL is the desired lattice. By Theorem 9.10, the map C/L −→ E(C) is an isomorphism. The elements of L are called the periods of L. Theorem 9.21 gives us a good way to work with elliptic curves over C. For example, let n be a positive integer and let E be an elliptic curve over C. By Theorem 9.21, there exists a lattice L = Zω1 + Zω2 such that C/L is isomorphic to E(C). It is easy to see that the n-torsion on C/L is given by the points j k ω1 + ω2 , 0 ≤ j, k ≤ n − 1. n n It follows that E[n]  Zn ⊕ Zn . In fact, we can use this observation to give a proof of Theorem 3.2 for all fields of characteristic 0. COROLLARY 9.22 Let K be a field of characteristic 0, and let E be an elliptic curve over K. Then E[n] = {P ∈ E(K) | nP = ∞}  Zn ⊕ Zn . PROOF Let L be the field generated by Q and the coefficients of the equation of E. Then L has finite transcendence degree over Q, hence can be embedded into C (see Appendix C). Therefore, we can regard E as an elliptic curve over C. Therefore, the n-torsion is Zn ⊕ Zn . There is a technical point to worry about. The definition of E[n] that we have used requires the coordinates of the n-torsion to lie in the algebraic closure of the base field. How can we be sure that the field K isn’t so large that it allows more torsion points than C? Suppose that E[n] ⊂ E(K) has order larger than n2 . Then we can choose n2 + 1 of these points and adjoin their coordinates to L. Then L still has finite transcendence degree over Q, hence can be embedded into C. The coordinates of the n2 + 1 points will yield

SECTION 9.3 ELLIPTIC CURVES OVER C

285

n2 +1 points in E(C) that are n-torsion points. This is impossible. Therefore, E[n] is no larger than it should be. There is also the reverse possibility. How do we know that K is large enough to account for all the n-torsion points that we found in E(C)? We need to show that the n-torsion points in E(C) have coordinates that are algebraic over L (where L is regarded as a subfield of C). Let P = (x, y) be an n-torsion point in E(C), and suppose that x and y are transcendental over L (since x and y satisfy the polynomial defining E, they are both algebraic or both transcendental over K). Let σ be an automorphism of C such that σ(x) = x+1, and such that σ is the identity on L. Such an automorphism exists: take σ to be the desired automorphism of K(x), then use Zorn’s Lemma to extend σ to all of C (see Appendix C). The points σ m (P ) for m = 1, 2, 3, . . . , have distinct x-coordinates x + 1, x + 2, x + 3, . . . , hence are distinct points. Each must be an n-torsion point of E in E(C). But there are only n2 such points, so we have a contradiction. Therefore, the coordinates of the n-torsion points are algebraic over L, hence are algebraic over K, since L ⊆ K. Therefore, the passage from K to C does not affect E[n]. Suppose we have an elliptic curve E defined over the real numbers R. Usually, it is represented by a graph, as in Chapter 2 (see Figure 2.1 on page 10). It is interesting to see how the torus we obtain relates to this graph. It can be shown (Exercise 9.5) that the lattice L for E has one of two shapes. Suppose first that the lattice is rectangular: L = Zω1 + Zω2 with ω1 ∈ iR and ω2 ∈ R. Then (℘(z), ℘ (z)) ∈ E(R) when (I) z = tω2

with 0 ≤ t < 1,

and also when (II) z = (1/2)ω1 + tω2

with 0 ≤ t < 1.

The first of these is easy to see: if z is real and the lattice L is preserved by complex conjugation, then conjugating the defining expression for ℘(z) leaves it unchanged, so ℘ maps reals to reals. The second is a little more subtle: conjugating z = (1/2)ω1 + tω2 yields z = −(1/2)ω1 + tω2 , which is equivalent to z mod L. Therefore, the defining expression for ℘(z) is again unchanged by complex conjugation, so ℘ maps reals to reals. Fold the parallelogram into a torus by connecting the right and left sides to form a tube, then connecting the ends. The paths (I) (see Figure 9.5) starts and ends at points that differ by ω2 . Therefore the endpoints are equivalent mod L, so (I) yields a circle on the torus. Similarly, (I) yields a circle on the torus. When the ends of path (I) are disconnected at 0 (which corresponds to ∞ in the Weierstrass form), we obtain a slightly deformed version of the graph of Figure 2.1(a) on page 10.

286

CHAPTER 9 ELLIPTIC CURVES OVER C

Ω1 1  Ω1 2

II

0

I

Ω2

Figure 9.5

The Real Points on C/L

In the case of a skewed parallelogram, that is, when ω2 is real and the imaginary part of ω1 is half of ω2 , the real axis is mapped to the reals, but the analogue of path (II) is not mapped to the reals. This corresponds to the situation of Figure 2.1(b) on page 10.

9.4 Computing Periods Suppose E is an elliptic curve over C. From Theorem 9.21, we know that E corresponds to a lattice L = Zω1 + Zω2 via the doubly periodic functions ℘ and ℘ , but how do we find the periods ω1 and ω2 ? For simplicity, let’s consider the case where E is defined over R and E[2] ⊂ E(R). Then the equation for E can be put in the form y 2 = 4x3 − g2 x − g3 = 4(x − e1 )(x − e2 )(x − e3 )

with e1 < e2 < e3 .

We may assume ω2 ∈ R with ω2 > 0 and ω1 ∈ iR with (ω1 ) > 0, as in Figure 9.5. The graph of E is as in Figure 2.1(a) on page 10. The Weierstrass ℘-function and its derivative map C/L to E via (x, y) = (℘(z), ℘ (z)). As z goes from 0 to ω2 /2, the function ℘(z) takes on real values, starting with x = ∞. The first point of order two is encountered when z = ω2 /2. Which point (ei , 0) is it? The graph of the real points of E has two components. The one connected to ∞ contains the point (e3 , 0) of order two, so x = ℘(z) must run from ∞ to e3 as z goes from 0 to ω2 /2. The expansion of ℘ (z) starts with the term −2/z 3 , from which it follows that y = ℘ (z) < 0 near z = 0, hence ℘ (z) < 0 for 0 < z < ω2 /2.

SECTION 9.4 COMPUTING PERIODS

Consider now the integral  ∞ 

287

dx

. 4(x − e1 )(x − e2 )(x − e3 )  Substitute x = ℘(z). The denominator becomes ℘ (z)2 = −℘ (z) (recall that ℘ (z) < 0) and the limits of integration are from z = ω2 /2 to 0. Adjusting the direction of integration and the sign yields e3



ω2 /2

dz =

0

Therefore,

 ω2 =

∞

e3



ω2 . 2

dx (x − e1 )(x − e2 )(x − e3 )

.

The change of variables     e3 − (e3 − e1 )(e3 − e2 ) t + e3 + (e3 − e1 )(e3 − e2 ) x= t+1 (plus a lot of algebraic manipulation) changes the integral to 2 √ ω2 = √ e3 − e1 + e3 − e2



1

−1



dt (1 −

t2 )(1

− k 2 t2 )

,

where √ √ e3 − e1 − e3 − e2 √ k=√ . e3 − e1 + e3 − e2

(9.19)

Since the integrand is an even function, we can take twice the integral over the interval from 0 to 1 and obtain  1 dt 4 √  ω2 = √ . 2 e3 − e1 + e3 − e2 0 (1 − t )(1 − k 2 t2 ) This integral is called an elliptic integral (more precisely, an elliptic integral of the first kind). It is usually denoted by  K(k) =

0

1



dt (1 −

t2 )(1

− k 2 t2 )

.

In the following, we’ll see how to compute K(k) numerically very accurately and quickly, but first let’s find an expression for ω1 . When z runs along the vertical line from ω2 /2 to ω2 /2 + ω1 /2, the function ℘(z) takes on real values (see Exercise 9.6) from e3 to e2 , and its derivative

288

CHAPTER 9 ELLIPTIC CURVES OVER C

℘ (z) takes on purely imaginary values. Reasoning similar to that above (including the same change of variables) yields 2i √ ω1 = √ e3 − e1 + e3 − e2 Let k  =



1/k

1



dt (t2

− 1)(1 − k 2 t2 )

.

√ 1 − k 2 and make the substitution 2

t = (1 − k  u2 )−1/2 . The integral becomes  0

1



dt (1 − t2 )(1 − k  2 t2 )

 = K(k  ) = K( 1 − k 2 ).

Therefore,  2i √ ω1 = √ K( 1 − k 2 ). e3 − e1 + e3 − e2 Therefore, both ω1 and ω2 can be expressed in terms of elliptic integrals.

9.4.1 The Arithmetic-Geometric Mean In this subsection, we introduce the arithmetic-geometric mean. It yields a very fast and ingenious method, due to Gauss, for computing elliptic integrals. Start with two positive real numbers a, b. Define an and bn by a0 = a, b0 = b 1 an = (an−1 + bn−1 ) 2  bn = an−1 bn−1 .

(9.20)

Then an is the arithmetic mean (=average) of an−1 and bn−1 , and bn is their geometric mean.

SECTION 9.4 COMPUTING PERIODS

289

Example √ 9.1 Let a = 2 and b = 1. Then a1 = 1.207106781186547524400844362 . . . b1 = 1.189207115002721066717499970 . . . a2 = 1.198156948094634295559172166 . . . b2 = 1.198123521493120122606585571 . . . a3 = 1.198140234793877209082878869 . . . b3 = 1.198140234677307205798383788 . . . a4 = 1.198140234735592207440631328 . . . b4 = 1.198140234735592207439213655 . . . . The sequences are converging very quickly to the limit a∞ = b∞ = 1.198140234735592207439922492 . . . .

The rapid convergence is explained by the following. PROPOSITION 9.23 Suppose a ≥ b > 0. Then bn−1 ≤ bn ≤ an ≤ an−1 and 0 ≤ an − bn ≤

1 (an−1 − bn−1 ). 2

(9.21)

Therefore M (a, b) = lim an = lim bn n→∞

exists. Moreover, if b ≥ 1 then an+m − bn+m ≤ 8

n→∞



an − bn 8

 2m (9.22)

for all m, n ≥ 0. PROOF The fact that an ≥ bn for all n is the arithmetic-geometric mean inequality, or the fact that  1 √ an − bn = ( an−1 − bn−1 )2 ≥ 0. 2

290

CHAPTER 9 ELLIPTIC CURVES OVER C

Therefore, since an−1 ≥ bn−1 , it follows immediately from (9.20) that an ≤

1 (an−1 + an−1 ) = an−1 2

and

bn ≥



bn−1 bn−1 = bn−1 .

Also, 2  1 √ an−1 − bn−1 2 √   1 √ ≤ an−1 − bn−1 an−1 + bn−1 2 1 = (an−1 − bn−1 ). 2

an − bn =

Therefore, an − bn ≤ (1/2)n (a − b), so an − bn → 0. Since the an ’s are a decreasing sequence bounded below by the increasing sequence of bn ’s, it follows immediately that the two sequences  converge to the same limit, so √ M (a, b) exists. If bn−1 ≥ 1, then an−1 + bn−1 ≥ 2, so 2  an − bn 1 √ = an−1 − bn−1 8 16  2 2 √a  bn−1 1 √ n−1 + ≤ an−1 − bn−1 16 4  2 an−1 − bn−1 . = 8 Inequality 9.22 follows easily by induction. The limit M (a, b) is called the arithmetic-geometric mean of a and b. Since M (ca, cb) = cM (a, b), we can always rescale a and b to make b ≥ 1. Also, since M (b, a) = M (a, b) (because a1 and b1 are symmetric in a, b), we may always arrange that a ≥ b. By Inequality (9.21), an − bn < 1 for sufficiently large n. The numbers an+m and bn+m give approximations to M (a, b). Inequality (9.22) predicts that the number of decimal places of accuracy doubles with each iteration. This phenomenon occurs in the above example. The reasons we are interested in the arithmetic-geometric mean are the following two propositions. PROPOSITION 9.24 Let a, b be positive real numbers. Define  I(a, b) =

0

π/2



dθ a2

cos2

θ + b2 sin2 θ

.

SECTION 9.4 COMPUTING PERIODS



Then I

291

 a+b √ , ab = I(a, b). 2

Moreover, I(a, b) =

π/2 . M (a, b)

PROOF

Let u = b tan θ. The integral becomes  ∞  du du 1 ∞   I(a, b) = = . 2 + a2 )(u2 + b2 ) 2 + a2 )(u2 + b2 ) 2 (u (u 0 −∞

Therefore,

 I

  a+b √ du 1 ∞  , ab = . 2 2 −∞ (u2 + ( a+b )2 )(u2 + ab) 2

Let u= Then v = u +

1 2

 v−

ab v

 0 < v < ∞.

,

√ u2 + ab. Since  2 a+b 1 = 2 (v 2 + a2 )(v 2 + b2 ), u2 + 2 4v

it is straightforward to obtain    ∞ a+b √ dv  I , ab = = I(a, b). 2 2 (v + a2 )(v 2 + b2 ) 0 By induction, we obtain I(a, b) = I(a1 , b1 ) = I(a2 , b2 ) = · · · . Let a∞ = b∞ = M (a, b) = lim an = lim bn . n→∞

n→∞

It is fairly easy to justify taking the limit inside the integral sign to obtain I(a, b) = lim I(an , bn ) n→∞

= I(a∞ , b∞ )  π/2 dθ  = 0 a2∞ cos2 θ + b2∞ sin2 θ  π/2 1 dθ  = 2 M (a, b) 0 cos θ + sin2 θ π/2 = . M (a, b)

292

CHAPTER 9 ELLIPTIC CURVES OVER C

PROPOSITION 9.25 If 0 < k < 1, then

  K(k) = I 1, 1 − k 2 = I(1 + k, 1 − k).

PROOF

 K(k) =

0



1

dt  (1 − t2 )(1 − k 2 t2 )

π/2

= 0



dθ  1 − k 2 sin2 θ

(let t = sin θ)

π/2

dθ  0 cos2 θ + (1 − k 2 ) sin2 θ  = I(1, 1 − k 2 ) =

= I(1 + k, 1 − k). The last equation follows from Proposition 9.24, with a = 1 + k and b = 1 − k.

Putting everything together, we can now express the periods ω1 and ω2 in terms of arithmetic-geometric means. THEOREM 9.26 Suppose E is given by y 2 = 4x3 − g2 x − g3 = 4(x − e1 )(x − e2 )(x − e3 ) with real numbers e1 < e2 < e3 . Then Zω1 + Zω2 is a lattice for E, where πi √ √ M ( e3 − e1 , e2 − e1 ) π √ √ . ω2 = M ( e3 − e1 , e3 − e2 ) ω1 =

PROOF

We have, with k as in (9.19), 4 √ K(k) e3 − e1 + e3 − e2 4 √ = √ I(1 + k, 1 − k). e3 − e1 + e3 − e2

ω2 = √

Use the definition (9.19) of k and the relation cI(ca, cb) = I(a, b) with √ √ e3 − e1 + e3 − e2 c= 2

SECTION 9.4 COMPUTING PERIODS

293

to obtain √ √ ω2 = 2I( e3 − e1 , e3 − e2 ) π √ √ . = M ( e3 − e1 , e3 − e2 ) The proof of the formula for ω1 uses similar reasoning to obtain  2i √ K( 1 − k 2 ) e3 − e1 + e3 − e2 2i √ I(1, k) = √ e3 − e1 + e3 − e2 √ √ √ √ = 2iI( e3 − e1 + e3 − e2 , e3 − e1 − e3 − e2 ).

ω1 = √

If we let a=

√ √ e3 − e1 + e3 − e2 ,

then (9.20) yields a1 =

√ e3 − e1 ,

b=

√

b1 =

e3 − e1 −

√ e3 − e2 ,

√ e2 − e1 .

Proposition 9.24 therefore implies that √ √ ω1 = 2iI( e3 − e1 , e2 − e1 ) πi √ √ = . M ( e3 − e1 , e2 − e1 ) Example 9.2 Consider the elliptic curve E given by y 2 = 4x3 − 4x. Then e1 = −1, e2 = 0, e3 = 1, so πi √ = i2.62205755429211981046483959 . . . M ( 2, 1) π √ ω2 = = 2.62205755429211981046483959 . . . . M ( 2, 1)

ω1 =

Therefore, the fundamental parallelogram for the lattice is a square. This also follows from the fact that E has complex multiplication by Z[i]. See Chapter 10. The number 2.622 . . . can be shown (see Exercise 9.8) to equal  1 dx Γ(1/4)Γ(1/2) √ , = 4 2 Γ(3/4) 1−x −1 where Γ is the gamma function (for its definition, see Section 14.2). This is a special case of the Chowla-Selberg formula, which expresses the periods of

294

CHAPTER 9 ELLIPTIC CURVES OVER C

elliptic curves with complex multiplication in terms of values of the gamma function (see [101]). There are also formulas similar to those of Theorem 9.26 for the case where one real root. Let e1 be the unique g2 , g3 ∈ R but 4x3 − g 2 x − g3 has only real root of 4x3 − g2 x − g3 and let e = 3e21 − (1/4)g2 . Then 2π √ √   M ( 4e , 2e + 3e1 ) πi ω1 √ + . ω2 = − √   2 M ( 4e , 2e − 3e1 ) ω1 =

(9.23) (9.24)

The proof is similar to the one when there are three real roots. For more on the arithmetic-geometric mean, including how it has been used to compute π very accurately and how it behaves for complex arguments, see [17] and [30].

9.5 Division Polynomials In this section, we prove Theorem 3.6, which gives a formula for n(x, y), where n > 1 is an integer and (x, y) is a point on an elliptic curve. We’ll start with the case of an elliptic curve in characteristic zero, then use this to deduce the case of positive characteristic. Let E be an elliptic curve over a field of characteristic 0, given by an equation y 2 = x3 + Ax + B. All of the equations describing the group law are defined over Q(A, B). Since C is algebraically closed and has infinite transcendence degree over Q, it is easy to see that Q(A, B) may be considered as a subfield of C. Therefore, we regard E as an elliptic curve defined over C. By Theorem 9.21, there is a lattice L corresponding to E. Let ℘(z) be the associated Weierstrass ℘-function, which satisfies the relation (℘ )2 = 4℘3 − g2 ℘ − g3 , with g2 = −4A, g3 = −4B. We’ll derive formulas for ℘(nz) and ℘ (nz), then use x = ℘(z) and y = ℘ (z)/2 to obtain the desired formulas for n(x, y). LEMMA 9.27 There is a doubly periodic function fn (z) such that  fn (z)2 = n2 (℘(z) − ℘(u)). 0=u∈(C/L)[n]

The sign of fn can be chosen so that

SECTION 9.5 DIVISION POLYNOMIALS

295

1. if n is odd, fn = Pn (℘), where Pn (X) is a polynomial of degree (n2 −1)/2 with leading coefficient n, 2. if n is even, fn = ℘ Pn (℘), where Pn (X) is a polynomial of degree (n2 − 4)/2 with leading coefficient n/2. The expansion of fn at 0 is fn (z) =

(−1)n+1 n + ··· . z n2 −1

The zeros of fn are at the points 0 = u ∈ (C/L)[n], and these are simple zeros. PROOF The product is over the nonzero n-torsion in C/L. Since ℘(u) = ℘(−u), the factors for u and −u are equal. Suppose n is odd. Then u is never congruent to −u mod L, so every

factor in the product occurs twice. Therefore, fn can be taken to be n (℘(z) − ℘(u)), where we use only one member of each pair (u, −u). This is clearly a polynomial in ℘(z) of degree (n2 − 1)/2 and leading coefficient n. When n is even, there are three values of u that are congruent to their negatives mod L, namely, ωj /2 for j = 1, 2, 3. Since  (℘ )2 = 4 (℘ − ℘(ωj /2)), j 

these factors contribute ℘ /2 to fn . The remaining factors can be paired up, as in the case when n is odd, to obtain a polynomial in ℘ of degree (n2 − 4)/2 and leading coefficient n. Therefore, fn has the desired form. Since ℘(z) = z −2 + · · · and ℘ (z) = −2z −3 + · · · , we immediately obtain the expansion of fn at 0. Clearly fn has a zero at each nonzero u ∈ (C/L)[n]. There are n2 − 1 such points. Since the only pole mod L of fn is one of order n2 − 1 at z = 0, and since the number of zeros equals the number of poles (counting multiplicities), these zeros must all be simple. LEMMA 9.28 Let n ≥ 2. Then ℘(nz) = ℘(z) −

fn−1 (z)fn+1 (z) . fn (z)2

PROOF Let g(z) = ℘(nz) − ℘(z). We’ll show that g and fn−1 fn+1 /fn2 have the same divisors. The function g(z) has a double pole at each u ∈ (C/L)[n] with u = 0. At z = 0, it has the expansion g(z) =

1 1 − 2 + ··· , n2 z 2 z

296

CHAPTER 9 ELLIPTIC CURVES OVER C

so g also has a double pole at 0. Therefore, g has a total of 2n2 poles, counting multiplicities. The function g has a zero at z = w when nw ≡ ±w ≡ 0 (mod L). For such w,   d g(z) = n℘ (nw) − ℘ (w) = ±n℘ (w) − ℘ (w) = (±n − 1)℘ (w). dz z=w Since the zeros of ℘ (z) occur when z = ωj /2, we have g  (w) = 0 when w = ωj /2, so such w are simple zeros of g. Moreover, when n is odd, n(ωj /2) ≡ ωj /2, so the points ωj /2 are at least double zeros of g in this case. If nw ≡ w (mod L), then (n − 1)w ≡ 0. Let δ = 0 if n is even and δ = 1 if n is odd. There are (n − 1)2 − 1 − 3δ points w with (n − 1)w = 0 and w = 0, ωj /2. Similarly, there are (n + 1)2 − 1 − 3δ points w with (n + 1)w = 0 and w = 0, ωj /2. There are at least 6δ zeros (counting multiplicities) at the points ωj /2. Therefore, we have accounted for at least (n − 1)2 − 1 − 3δ + (n + 1)2 − 1 − 3δ + 6δ = 2n2 zeros. Since g(z) has exactly 2n2 poles, we have found all the zeros and their multiplicities. The function fn−1 fn+1 fn2 has a double pole at each of the zeros of fn . If w ≡ 0 and (n ± 1)w ≡ 0 then fn±1 has a simple zero at w. If both (n + 1)w ≡ 0 and (n − 1)w ≡ 0, then 2w ≡ 0, so w ≡ ωj /2 for some j. Therefore, fn−1 fn+1 has a simple zero at each w with (n ± 1)w ≡ 0, except for those where w ≡ ωj /2, at which points it has a double zero. At z = 0, the expansions of the functions yield fn−1 fn+1 = fn2     2 (−1)n (n − 1) (−1)n+2 (n + 1) (−1)n+1 n + · · · + · · · + · · · z n2 −1 z (n−1)2 −1 z (n+1)2 −1   1 = 1 − 2 z −2 + · · · , n so there is a double zero at z = 0. Therefore, −fn−1 fn+1 /fn2 has the same divisor as ℘(nz) − ℘(z), so the two functions are constant multiples of each other. Since their expansions at 0 have the same leading coefficient, they must be equal. This proves the lemma. LEMMA 9.29 3 fn−1 . f2n+1 = fn+2 fn3 − fn+1

SECTION 9.5 DIVISION POLYNOMIALS

PROOF

297

As in the proof of Lemma 9.28, we see that ℘((n + 1)z) − ℘(nz) = −

f2n+1 2 fn+1 fn2

since the two sides have the same divisors and their expansions at 0 have the same leading coefficient. Since ℘((n + 1)z) − ℘(nz) = (℘((n + 1)z) − ℘(z)) − (℘(nz) − ℘(z)) fn+2 fn fn+1 fn−1 =− 2 + , fn+1 fn2 the result follows by equating the two expressions for ℘((n + 1)z) − ℘(nz).

LEMMA 9.30 2 2 − fn−2 fn+1 ). ℘ f2n = (fn )(fn+2 fn−1 PROOF

As in the proofs of the previous two lemmas, we have ℘((n + 1)z) − ℘((n − 1)z) = −

℘ f2n . 2 2 fn−1 fn+1

(A little care is needed to handle the points ωj /2.) Since ℘((n + 1)z) − ℘((n − 1)z) = (℘((n + 1)z) − ℘(z)) − (℘((n − 1)z) − ℘(z)) fn fn−2 fn+2 fn + 2 , =− 2 fn+1 fn−1 the result follows. LEMMA 9.31 For all n ≥ 1,

 fn (z) = ψn

 1  ℘(z), ℘ (z) 2

where ψn is defined in Section 3.2. PROOF Since ψ1 = 1 and ψ2 = 2y, the lemma is easily seen to be true for n = 1, 2. From Equations (9.10) and (9.8) in Section 9.2, we have −

f3 f3 = − 2 = ℘(2z) − ℘(z)  2 (℘ ) f2  2 1 ℘ (z) = − 2℘(z) − ℘(z) 4 ℘ (z) =−

3℘4 − 32 g2 ℘2 − 3g3 ℘ − (℘ )2

1 2 16 g2

(9.25)

.

298

CHAPTER 9 ELLIPTIC CURVES OVER C

Therefore, 3 1 f3 = 3℘4 − g2 ℘2 − 3g3 ℘ − g22 2 16 = 3℘4 + 6A℘2 + 12B℘ − A2 = ψ3 (℘). This proves the lemma for n = 3. By Equation (9.7) in Section 9.2, we have 1 ℘(2z + z) = 4 and ℘(2z − z) =

1 4





℘ (2z) − ℘ (z) ℘(2z) − ℘(z)

℘ (2z) + ℘ (z) ℘(2z) − ℘(z)

2 − ℘(2z) − ℘(z)

2 − ℘(2z) − ℘(z).

Therefore, −

f4 f2 = ℘(3z) − ℘(z) f32  2  2 1 ℘ (2z) − ℘ (z) 1 ℘ (2z) + ℘ (z) = − 4 ℘(2z) − ℘(z) 4 ℘(2z) − ℘(z) ℘ (2z)℘ (z) =− (℘(2z) − ℘(z))2 ℘ (2z)℘ (z) =− (by Equation 9.25) (−f3 /℘ (z)2 )2 ℘ (2z)℘ (z)5 . =− f32

This yields f4 f2 = ℘ (2z)℘ (z)5 . We know that 12 ℘ (2z) is the y-coordinate of 2(℘(z), 12 ℘ (z)), which means that ℘ (2z) can be expressed in terms of ℘(z) and ℘ (z), using the formulas for the group law. When this is done, we obtain   1 f4 = ψ4 ℘, ℘ , 2 so the lemma is true for n = 4. Since the fn ’s satisfy the same recurrence relations as the ψn ’s (see Lemmas 9.29 and 9.30 and the definition of the ψn ’s), and since the lemma holds for enough small values of n, the lemma now follows for all n. LEMMA 9.32 ℘ (nz) =

f2n . fn4

SECTION 9.5 DIVISION POLYNOMIALS

299

PROOF The function ℘ (nz) has triple poles at all points of (C/L)[n]. Therefore, there are 3n2 poles. Since the zeros of ℘ are at the points in (C/L)[2] other than 0, the zeros of ℘ (nz) are at the points that are in (C/L)[2n] but not in (C/L)[n]. There are 3n2 such points. Since the number of zeros equals the number of poles, all of these zeros are simple. The expansion of ℘ (nz) at z = 0 is ℘ (nz) =

−2 + ··· . n3 z 3

The function f2n /fn4 is easily seen to have the same divisor as ℘ (nz) and their expansions at z = 0 have the same leading coefficients. Therefore, the functions are equal. Finally, we can prove the main result of this section. THEOREM 9.33 Let E be an elliptic curve over a field of characteristic not 2, let n be a positive integer, and let (x, y) be a point on E. Then   φn ω n , n(x, y) = , ψn2 ψn3 where φn , ψn , and ωn are defined in Section 3.2. PROOF First, assume E is defined over a field of characteristic 0. As above, we regard E as being defined over C. We have     1 1 (x, y) = ℘(z), ℘ (z) , n(x, y) = ℘(nz), ℘ (nz) 2 2 for some z. Therefore, fn−1 fn+1 fn2 2 ℘fn − fn−1 fn+1 = fn2 2 xψn − ψn−1 ψn+1 = ψn2 φn = 2. ψn

℘(nz) = ℘(z) −

(by Lemma 9.31)

This proves the formula for the x-coordinate. For the y-coordinate, observe that the definition of ωn can be rewritten as ωn =

1 ψ2n . 2 ψn

300

CHAPTER 9 ELLIPTIC CURVES OVER C

Therefore, by Lemmas 9.32 and 9.31, 1  1 ψ2n ωn ℘ (nz) = = 3. 2 2 ψn4 ψn This completes the proof of the theorem when the characteristic of the field is 0. Suppose now that E is defined over a field K of arbitrary characteristic (not 2) by y 2 = x3 + Ax + B. Let (x, y) ∈ E(K). Let α, β, and X be three independent transcendental elements of C and let Y satisfy Y 2 = X 3 +αX +β. There is a ring homomorphism ρ : Z[α, β, X, Y ] −→ K(x, y) such that g(α, β, X, Y ) → g(A, B, x, y) ˜ be the elliptic curve for all polynomials g. Let R = Z[α, β, X, Y ] and let E 2 3 over R defined by y = x + αx + β. We want to say that by Corollary 2.33, ρ induces a homomorphism ˜ ρ : E(R) −→ E(K(x, y)). But we need to have R satisfy Conditions (1) and (2) of Section 2.11. The easiest way to accomplish this is to let M be the kernel of the map R → K(x, y). Since K(x, y) is a field, M is a maximal ideal of R. Let RM be the localization of R at M (this means, we invert all elements of R not in M). Then R ⊆ RM and the map ρ extends to a map ρ : RM −→ K(x, y). Since RM is a local ring, and projective modules over local rings are free, it can be shown that RM satisfies Condition (2). Since we are assuming that K(x, y) has characteristic not equal to 2, it follows that 2 is not in M, hence is invertible in RM . Therefore, RM satisfies Condition (1). Now we can apply Corollary 2.33. ˜ M ) is described by the polynomials ψj , φj , and ωj , The point n(X, Y ) in E(R which are polynomials in X, Y with coefficients in Z[α, β]. Applying ρ shows that these polynomials, regarded as polynomials in x, y with coefficients in K, describe n(x, y) on E. Therefore, the theorem holds for E. As an application of the division polynomials, we prove the following result, which will be used in Chapter 11. PROPOSITION 9.34 Let E be an elliptic curve over a field K. Let f (x, y) be a function from E to K ∪ {∞} and let n ≥ 1 be an integer not divisible by the characteristic of K.

SECTION 9.5 DIVISION POLYNOMIALS

301

Suppose f (P + T ) = f (P ) for all P ∈ E(K) and all T ∈ E[n]. Then there is a function h on E such that f (P ) = h(nP ) for all P . PROOF The case n = 1 is trivial, so we assume n > 1. Let T ∈ E[n]. There are rational functions R(x, y), S(x, y) depending on T such that (x, y) + T = (R(x, y), S(x, y)). Let y 2 = x3 +Ax+B be the equation of√E and regard K(x, y) as the quadratic extension of K(x) given by adjoining x3 + Ax + B. Since (R, S) lies on E, we have S 2 = R3 + AR + B. The map σT : K(x, y) → K(x, y) f (x, y) → f (R, S) is a homomorphism from K(x, y) to itself. Since σ−T is the inverse of σT , the map σT is an automorphism. Because (x, y) + T = (x, y) + T  when T = T  , we have σT (x, y) = σT  (x, y) when T = T  . Therefore, we have a group of n2 distinct automorphisms σT , where T runs through E[n], acting on K(x, y). A basic result in Galois theory says that if G is a group of distinct automorphisms of a field L, then the fixed field F of G satisfies [L : F ] = |G|. Therefore, the field F of functions f satisfying the conditions of the proposition satisfies [K(x, y) : F ] = n2 .

(9.26)

Let n(x, y) = (gn (x), y hn (x)) for rational functions gn , hn . Then K(gn (x), y hn (x)) ⊆ F.

(9.27)

[ K(gn (x), y hn (x)) : K(gn (x))] ≥ 2

(9.28)

Moreover,

since clearly y hn (x) ∈ K(gn (x)). Therefore, by (9.26), (9.27), and (9.28), [K(x, y) : K(gn (x))] ≥ 2n2 . From Theorem 3.6, gn (x) =

φn , ψn2

and φn and ψn2 are polynomials in x. Therefore, X = x is a root of the polynomial P (X) = φn (X) − gn (x)ψn2 (X) ∈ K[gn (x)][X]. By Lemma 3.5, 2

φn (X) = X n + · · ·

302

CHAPTER 9 ELLIPTIC CURVES OVER C

and ψn2 (X) has degree n2 − 1. Therefore, 2

P (X) = X n + · · · , so x is of degree at most n2 over K(gn (x)). Since [ K(x, y) : K(x)] = 2, we obtain

[ K(x, y) : K(gn (x))] ≤ 2n2 .

Combined with the previous inequality from above, we obtain equality, which means that we had equality in all of our calculations. In particular, F = K(gn (x), y hn (x)). The functions in F are those that are invariant under translation by elements of E[n]. Those on the right are those that are of the form h(n(x, y)). Therefore, we have proved the proposition.

9.6 The Torsion Subgroup: Doud’s Method Let E : y 2 = x3 + Ax + B be an elliptic curve defined over Z. The LutzNagell Theorem (Section 8.1) says that if (x, y) ∈ E(Q) is a torsion point, then either y = 0 or y 2 |4A3 + 27B 2 . This allows us to determine the torsion, as long as we can factor 4A3 + 27B 2 , and as long as it does not have many square factors. In this section, we present an algorithm due to Doud [35] that avoids these difficulties and is usually much faster in practice. Let p ≥ 11 be a prime not dividing 4A3 +27B 2 . By Theorem 8.9, the kernel of the map from the torsion of E(Q) to E(Fp ) is trivial. Therefore, the order of the torsion subgroup of E(Q) divides #E(Fp ). If we use a few values of p and take the greatest common divisor of the values of #E(Fp ), then we obtain a value b that is a multiple of the order of the torsion subgroup of E(Q). We consider divisors n of b, running from largest divisor to smallest, and look for a point of order n on E (of course, we should look at only the values of n allowed by Mazur’s theorem). In order to work analytically, we multiply the equation for E by 4 to obtain E1 : y12 = 4x3 + 4Ax + 4B, with y1 = 2y. The period lattice for E1 is generated by ω1 and ω2 , with ω2 ∈ R. The points in the fundamental parallelogram corresponding to real x, y under the map of Theorem 9.10 lie on the line ω2 R, and also on the line 12 ω1 + ω2 R when the cubic polynomial 4x3 + 4Ax + 4B has 3 real roots. Doubling a point on the second line yields a point on the first line. Therefore, if n is odd, all

SECTION 9.6 THE TORSION SUBGROUP: DOUD’S METHOD

303

n-torsion points come from the line ω2 R, hence lie in the subgroup generated by n1 ω2 , so ℘( n1 ω2 ) must be an integer. If n is even and z ∈ C/(Zω1 + Zω2 ) has order n, then z generates the same subgroup of C/(Zω1 + Zω2 ) as one of 1 1 1 1 1 1 n ω2 or n ω2 + 2 ω1 or n ω2 + 2 ω1 + 2 ω2 . Therefore, if there is a torsion point of order n, then at least one of these three values of z must yield an integral value of x = ℘(z). The strategy is therefore to evaluate 1 ℘( ω2 ) n 1 ℘( ω2 ), n

if n is odd or if 4x3 + 4Ax + 4B has only one real root 1 1 1 1 1 ℘( ω2 + ω1 ), ℘( ω2 + ω1 + ω2 ) n 2 n 2 2 if n is even and 4x3 + 4Ax + 4B has 3 real roots

for each divisor of b, starting with the largest n. If we find a numerical value of x that is close to an integer, we test whether y 2 = x3 + Ax + B yields an integral value of y. It can be checked whether or not (x, y) has order n by computing n(x, y). If so, then (since n is the largest divisor of b not yet excluded), we have the largest cyclic subgroup of the torsion group. Since only the 2-torsion can be noncyclic (Corollary 3.13), we need to see only if there is a point of order 2 not already in the subgroup generated by (x, y). If n(x, y) = ∞, we continue with n and smaller divisors that are still allowed by Mazur’s theorem and the value of b. We thus obtain all torsion points in E(Q). The AGM method (Theorem 9.24) calculates ω1 and ω2 quickly. The following allows us to compute ℘. PROPOSITION 9.35 Let z ∈ C and let u = e2πiz/ω2 . Let τ = ω1 /ω2 (with the requirement that τ is in the upper half plane) and let q = e2πiτ . Then ℘(z) = 2     ∞
u 2πi u u 2 1 n + + q + n − . ω2 12 (1 − u)2 n=1 (1 − q n u)2 (q − u)2 (1 − q n )2 PROOF Let f (z) denote the right-hand side of the equation. Since |q| < 1, it is easy to see that the series defining f (z) converges uniformly on compact subsets of C that do not contain points in the lattice ω1 Z + ω2 Z. Therefore, f (z) is analytic away from these lattice points. Moreover, it has a double pole at each lattice point. Using the fact that u = 1 + (2πi/ω2 )z + · · · , we find that the Laurent expansion of f (z) around z = 0 starts (1/z 2 ) + · · · . Since u is invariant under z → z + ω2 , so is f (z). Changing z to z + ω1 multiplies u by q. A straightforward calculation shows that f is invariant under u → qu. Therefore f is doubly periodic. The difference f (z)−℘(z) is a doubly periodic function with no poles except possibly simple poles at the lattice points. By Theorem 9.1, this implies that

304

CHAPTER 9 ELLIPTIC CURVES OVER C

the difference is a constant; call it C. The roots of the cubic polynomial 4T 3 − g2 T − g3 are the x-coordinates of the points of order 2, namely ℘( 12 ω1 ), ℘( 21 ω2 ), and ℘( 12 (ω1 + ω2 )). Since there is no T 2 term, the sum of these three roots is 0. Therefore, 1 1 1 f ( ω1 ) + f ( ω2 ) + f ( (ω1 + ω2 )) = 3C. 2 2 2 The following lemma shows that C = 0, which yields the proposition. LEMMA 9.36

PROOF

1 1 1 f ( ω1 ) + f ( ω2 ) + f ( (ω1 + ω2 )) = 0. 2 2 2

The values of u corresponding to the three values of z are u = −1,

u = q 1/2 ,

u = q −1/2 .

We may divide by the factor (2πi/ω2 )2 , hence we ignore it. The sum of the three terms 1/12 yields 1/4, which cancels the value of u/(1 − u)2 when u = −1. The final term inside the sum defining f (z) is independent of u and thus yields −6

∞


qn . (1 − q n )2 n=1

(9.29)

We now consider the remaining terms. The value u = −1 (substituted into the sum in f ) yields −2

∞


qn . (1 + q n )2 n=1

(9.30)

Combining (9.29) and (9.30) yields −8

∞
q n + q 2n + q 3n . (1 − q 2n )2 n=1

(9.31)

The value u = q 1/2 (substituted into the sum in f ) yields (the value of u/(1 − u)2 at u = q 1/2 is included in the first summation) ∞


q n+ 2

n=0

(1 − q n+ 2 )2

1 1

+

=2

∞


n=1 ∞


1

q n− 2 1

(q n− 2 − 1)2 1

q n− 2 1

n=1

(1 − q n− 2 )2

.

(9.32)

SECTION 9.6 THE TORSION SUBGROUP: DOUD’S METHOD

305

Similarly, the value u = −q 1/2 (substituted into the sum in f ) yields ∞


q n− 2

n=1

(1 − q n− 2 )2

−2 Since

1

1

1

q n− 2 (1 −

1

1 q n− 2 )2

−

q n− 2 1 q n− 2 )2

(1 +

=

.

(9.33)

4q 2n−1 , (1 − q 2n−1 )2

the sum of (9.31), (9.32), (9.33) is  ∞ 
q 2n−1 q n + q 2n + q 3n 8 + − . (1 − q 2n )2 (1 − q 2n−1 )2 n=1

(9.34)

Differentiating the series for 1/(1 − X) yields the identity ∞
1 = mX m−1 . (1 − X)2 m=1

Substituting X = q 2n−1 , multiplying by q 2n−1 , and summing over n yields ∞ ∞

q 2n−1 = mq (2n−1)m 2n−1 )2 (1 − q n=1 m=0 n=1 ⎛ ⎞ ∞

⎝ = d⎠ q N . ∞


N =1

(9.35)

(9.36)

d|N, N/d odd

Similarly, we obtain ∞ ∞

qn = mq n(2m−1) 2n )2 (1 − q n=1 m=0 n=1 ⎞ ⎛ ∞
d+1
⎠ qN ⎝ = 2 ∞


N =1

(9.37)

d|N, d odd

and ∞ ∞

q 3n = mq n(2m+1) 2n )2 (1 − q n=1 m=0 n=1 ⎞ ⎛ ∞
d−1
⎠ qN . ⎝ = 2 ∞


N =1

d|N, d odd

Also, the method yields ∞


2n

q = (1 − q 2n )2 n=1

(9.38)

∞
N =1

⎛ ⎝


d|N, N/d even

⎞ d⎠ q N .

(9.39)

306

CHAPTER 9 ELLIPTIC CURVES OVER C

Using (9.35), (9.37), (9.38), and (9.39), we find that (9.34) equals ⎛ ⎞ ∞



⎝ d − d − d⎠ q N . 8 N =1

d|N, N/d odd

d|N, d odd

We claim that for all N ≥ 1,
d − d|N, N/d odd




d

(9.40)

d|N, N/d even




−

d|N, d odd

d = 0.

d|N, N/d even

Write N = 2a u with a ≥ 0 and u odd. Then

d= 2a d1 d|N, N/d odd




d1 |u

d=

d|N, d odd







d

d|u

d=

d|N, N/d even




d2 .

d2 |2a−1 u

If a = 0, the last sum is interpreted to be 0. In this case, the claim is easily seen to be true. If a ≥ 1, then the divisors of 2a−1 u are of the form 2j d3 with 0 ≤ j ≤ a − 1 and d3 |u. Therefore,


d2 = (1 + 2 + 22 + · · · + 2a−1 )d3 = (2a − 1) d3 . d2 |2a−1 u

d3 |u

d3 |u

The claim follows easily. This completes the proof of the lemma. Since C = 0, the proof of the proposition is complete. Example 9.3 Consider the curve E : y 2 = x3 − 58347x + 3954150. We have 4A2 + 27B 2 = −372386507784192, which factors as 218 317 11, although we do not need this factorization. Since 11 divides this number, we skip 11 and start with p1 = 13. The number of points in E(F13 ) is 10. The number of points in E(F17 ) is also 10. Either of these facts implies that the number of torsion points in E(Q) divides 10. Using the AGM, we calculate ω1 = i0.156713 . . . ,

ω2 = 0.198602 · · · .

This yields τ = i0.78908 · · · and q = 0.0070274 · · · . We calculate ℘(ω2 /10) = 2539.82553 . . . ,

EXERCISES

307

which is not close to an integer. However, 1 ℘(ω2 /10 + ω1 ) = −213.00000 . . . . 2 This yields the point (x, y) = (−213, 2592) on E. An easy check shows that this is a point of order 10. Since the order of the torsion subgroup divides 10, we have determined that the torsion in E(Q) consists of the multiples of (−213, 2592).

Exercises 9.1 (a) Show that d3 ≡ d5 (mod 12) for all integers d. (b) Show that 5




d3 + 7

d|n




d5 ≡ 0 (mod 12)

d|n

for all positive integers n. (c) Show that g2 = where X =

∞

n=1

σ3 (n)q n .

(d) Show that g3 = where Y =

∞

n=1

(2π)4 (1 + 240X), 12

(2π)6 (1 − 504Y ), 216

σ5 (n)q n .

(e) Show that 1728(2π)−12 ∆ = (1 + 240X)3 − (1 − 504Y )2 .

(9.41)

(f) Show that the right side of (9.41) is congruent to 144(5X + 7Y ) mod 1728. ∞ (g) Conclude that (2π)−12 ∆ = n=0 dn q n , with dn ∈ Z. (h) Compute enough coefficients to obtain that (2π)−12 ∆ = q(1 +

∞
n=1

with en ∈ Z.

en q n )

308

CHAPTER 9 ELLIPTIC CURVES OVER C

(i) Show that (2π)12 /∆ = q −1

∞

(j) Show that

n=0

fn q n with fn ∈ Z. ∞

j=

1
+ cn q n q n=0

with cn ∈ Z.   ai bi 9.2 Let Mi = ∈ SL2 (Z) for i = 1, 2, 3 with M2 M1 = M3 . Let ci di τ1 ∈ F. Let a1 τ1 + b1 a2 τ2 + b2 , τ3 = . τ2 = c1 τ1 + d1 c2 τ2 + d2 Show that τ3 =

a3 τ1 + b3 . c3 τ1 + d3

9.3 Let k ≥ 0 be an integer. Let f be a meromorphic function on the upper half plane such that f has a q-expansion at i∞ (as in Equation (9.15)) and such that   aτ + b f = (cτ + d)k f (τ ) cτ + d   ab ∈ SL2 (Z). Show that for all τ ∈ H and for all cd 1 1 ordi∞ (f ) + ordρ (f ) + ordi (f ) + 3 2


z=i,ρ,i∞

ordz (f ) =

k . 12 

9.4 The stabilizer in SL2 (Z) of a point z ∈ H is the set of matrices

ab cd



such that (az + b)/(cz + d) = z. (a) Show that the stabilizer of i has order 4. (b) Show that the stabilizer of ρ has order 6. (c) Show  that  the stabilizer of i∞ consists of the matrices of the form 1b ± with b ∈ Z. 01 (d) Show that the stabilizer of each z ∈ H has order at least 2. It can be shown that the stabilizer of each element in the fundamental domain F has order 2 except for i and ρ. 9.5 Let E : y 2 = 4x3 + Ax + B, with A, B ∈ R be an elliptic curve defined over R. We know by Theorem 9.21 that E(C)  C/L for some lattice L. The goal of this exercise is to show that L has one of the two shapes given in part (i) below.

EXERCISES

309

(a) Let τ ∈ F. Show that j(τ ) = j(−τ ). (b) Show that if τ is in the fundamental domain F, then either −τ ∈ F, or (τ ) = −1/2, or |τ | = 1 with −1/2 ≤ (τ ) ≤ 0. (c) Suppose that τ ∈ F and that j(τ ) ∈ R. Show that (τ ) = 0, or (τ ) = −1/2, or |τ | = 1 with −1/2 ≤ (τ ) ≤ 0 (Hint: Use Corollary 9.18.) (d) Let τ ∈ H. Show that if |τ | = 1 then (−1/(τ + 1)) = −1/2. (e) Let L be a lattice with g2 (L) = −A and g3 (L) = −B. Show that there exists τ  ∈ H such that (τ  ) = 0 or −1/2 and j(L) = j(Zτ  + z). (f) Show that if τ ∈ H is such that (τ ) = 0 or −1/2, then we have g2 (τ ), g3 (τ ) ∈ R. (g) By Corollary 9.20, there exists λ ∈ C such that L = (λ)(Zτ  + Z). Show that if j = 0, 1728 then λ2 ∈ R. (Hint: Use Equations (9.14).) This shows that L is obtained from the lattice Zτ  + Z by an expansion by |λ| and a rotation by 0, 90◦ , 180◦ , or 270◦ . (h) Let 0 = y ∈ R. Let M be the lattice ( 12 + iy)Z + Z. Show that iM has {y + 12 i, 2y} as a basis. (i) Assume that j = 0, 1728. Show that L has a basis {ω1 , ω2 } with ω2 ∈ R and (ω1 ) = 0 or 12 ω2 . Therefore, the lattice L is either rectangular or a special shape of parallelogram. (j) Use the facts that j(ρ) = 0 and j(i) = 1728 to prove (i) in the cases that j(E) = 0 and j(E) = 1728. (The condition that λ2 ∈ R gets replaced by λ6 ∈ R and λ4 ∈ R, respectively. However, the lattices for τ = ρ and τ = i have extra symmetries.) 9.6 Let L be a lattice that is stable under complex conjugation (that is, if ω ∈ L then ω ∈ L). This is the same as requiring that the elliptic curve associated to L is defined over R (see Exercise 9.5). (a) Show that ℘(z) = ℘(z). (b) Show that if t ∈ R and if ω2 ∈ R is a real period, then   1 ℘ ω2 + it ∈ R. 2 (Hint: Use (a), the periodicity of ℘, and the fact that ℘(−z) = ℘(z).) (c) Differentiate the result of (b) to show that ℘ (z) ∈ iR for the points 12 ω2 + it in (b). This path, for 0 ≤ t ≤ ω1 , corresponds to x moving along the x-axis between the two parts of the graph in

310

CHAPTER 9 ELLIPTIC CURVES OVER C

Figure 2.1(a) on page 10. The points don’t appear on the graph because y is imaginary. For the curve in Figure 2.1(b) on page 10, x moves to the left along the x-axis, from the point on the x-axis back to the point at infinity, corresponding to the fact that ω1 = 12 ω2 +it for appropriate t (see Exercise 9.5). 9.7 Define the elliptic integral of the second kind to be  1√ 1 − k 2 x2 √ dx, −1 < k < 1. E(k) = 1 − x2 0 (a) Show that

 E(k) =

0

π/2

(1 − k 2 sin2 θ)1/2 dθ.

(b) Show that the arc length of the ellipse x2 y2 + =1 a2 b2  with b ≥ a > 0 equals 4bE( 1 − (a/b)2 ). This connection with ellipses is the origin of the name “elliptic integral.” The relation between elliptic integrals and elliptic curves, as in Section 9.4, is the origin of the name “elliptic curve.” For more on elliptic integrals, see [78]. 9.8 Let E be the elliptic curve y 2 = 4x3 − 4x. Show that  ∞  dx 1 1 −3/4  = t (1 − t)−1/2 dt = β(1/4, 1/2), ω2 = 2 0 x(x2 − 1) 1 where β(p, q) = result says that

1 0

tp−1 (1 − t)q−1 dt is the beta function. A classical β(p, q) =

Γ(p)Γ(q) . Γ(p + q)

Therefore, ω2 =

1 Γ(1/4)Γ(1/2) . 2 Γ(3/4)

Chapter 10 Complex Multiplication The endomorphisms of an elliptic curve E always include multiplication by arbitrary integers. When the endomorphism ring of E is strictly larger than Z, we say that E has complex multiplication. As we’ll see, elliptic curves over C with complex multiplication correspond to lattices with extra symmetry. Over finite fields, all elliptic curves have complex multiplication, and often the Frobenius provides one of the additional endomorphisms. In general, elliptic curves with complex multiplication form an interesting and important class of elliptic curves, partly because of their extra structure and partly because of their frequent occurrence.

10.1 Elliptic Curves over C Consider the elliptic curve E given by y 2 = 4x3 − 4x over C. As we saw in Section 9.4, E corresponds to the torus C/L, where L = Zω + Ziω, for a certain ω ∈ R. Since L is a square lattice, it has extra symmetries. For example, rotation by 90◦ sends L into itself. This can be expressed by saying that iL = L. Using the definition of the Weierstrass ℘-function, we easily see that 
 1 1 1 + − ℘(iz) = (iz)2 (iz − ω)2 ω2 ω=0 
 1 1 1 + − = (iz)2 (iz − iω)2 (iω)2 iω=0

= −℘(z). Differentiation yields

℘ (iz) = i℘ (z).

On the elliptic curve E, we obtain the endomorphism given by i(x, y) = (−x, iy).

311

312

CHAPTER 10 COMPLEX MULTIPLICATION

Therefore, the map z → iz gives a map (x, y) = (℘(z), ℘ (z)) → (℘(iz), ℘ (iz)) = (−x, iy). This is a homomorphism from E(C) to E(C) and it is clearly given by rational functions. Therefore, it is an endomorphism of E, as in Section 2.9. Let Z[i] = {a + bi | a, b ∈ Z}. Then Z[i] is a ring, and multiplication by elements of Z[i] sends L into itself. Correspondingly, if a + bi ∈ Z[i] and (x, y) ∈ E(C), then we obtain an endomorphism of E defined by (x, y) → (a + bi)(x, y) = a(x, y) + b(−x, iy). Since multiplication by a and b can be expressed by rational functions, multiplication of points by a + bi is an endomorphism of E, as in Section 2.9. Therefore, Z[i] ⊆ End(E), where End(E) denotes the ring of endomorphisms of E. (We’ll show later that this is an equality.) Therefore, End(E) is strictly larger than Z, so E has complex multiplication. Just as Z[i] is the motivating example for a lot of ring theory, so is E the prototypical example for complex multiplication. We now consider endomorphism rings of arbitrary elliptic curves over C. Let E be an elliptic curve over C, corresponding to the lattice L = Zω1 + Zω2 . Let α be an endomorphism of E. Recall that this means that α is a homomorphism from E(C) to E(C), and that α is given by rational functions: α(x, y) = (R(x), yS(x)) for rational functions R, S. The map Φ : C/L → E(C),

Φ(z) = (℘(z), ℘ (z))

(see Theorem 9.10) is an isomorphism of groups. The map α ˜ (z) = Φ−1 (α(Φ(z))) is therefore a homomorphism from C/L to C/L. If we restrict to a sufficiently small neighborhood U of z = 0, we obtain an analytic map from U to C such that α ˜ (z1 + z2 ) ≡ α ˜ (z1 ) + α(z ˜ 2 ) (mod L)

SECTION 10.1 ELLIPTIC CURVES OVER C

313

for all z1 , z2 ∈ U . By subtracting an appropriate element of L, we may assume that α ˜ (0) = 0. By continuity, α ˜ (z) is near 0 when z is near 0. If U is sufficiently small, we may therefore assume that α ˜ (z1 + z2 ) = α ˜ (z1 ) + α(z ˜ 2) for all z1 , z2 ∈ U (since both sides are near 0, they can differ only by the element 0 ∈ L). Therefore, for z ∈ U , we have α ˜ (z + h) − α ˜ (z) h→0 h α ˜ (z) + α ˜ (h) − α ˜ (z) = lim h→0 h α ˜ (h) − α ˜ (0) =α ˜  (0). = lim h→0 h

α ˜  (z) = lim

˜  (z) = β for all z ∈ U , we must have Let β = α ˜  (0). Since α α ˜ (z) = βz for all z ∈ U . Now let z ∈ C be arbitrary. There exists an integer n such that z/n ∈ U . Therefore, α(z) ˜ ≡ n˜ α(z/n) = n(βz/n) = βz (mod L), so the endomorphism α ˜ is given by multiplication by β. Since α ˜ (L) ⊆ L, it follows that βL ⊆ L. We have proved half of the following. THEOREM 10.1 Let E be an elliptic curve over C corresponding to the lattice L. Then End(E)  {β ∈ C | βL ⊆ L}. PROOF We have shown that all endomorphisms are given by numbers β. We need to show that all such β’s give endomorphisms. Suppose β ∈ C satisfies βL ⊆ L. Then multiplication by β gives a homomorphism β : C/L → C/L. We need to show that the corresponding map on E is given by rational functions in x, y. The functions ℘(βz) and ℘ (βz) are doubly periodic with respect to L, since βL ⊆ L. By Theorem 9.3, there are rational functions R and S such that ℘(βz) = R(℘(z)),

℘ (βz) = ℘ (z)S(℘(z)).

314

CHAPTER 10 COMPLEX MULTIPLICATION

Therefore, multiplication by β on C/L corresponds to the map (x, y) → (R(x), yS(x)) on E. This is precisely the statement that β induces an endomorphism of E.

Theorem 10.1 imposes rather severe restrictions on the endomorphism ring of E. We’ll show below that End(E) is either Z or an order in an imaginary quadratic field. First, we need to say what this means. We’ll omit the proofs of the following facts, which can be found in many books on algebraic number theory. Let d > 0 be a squarefree integer and let √ √ K = Q( −d) = {a + b −d | a, b ∈ Q}. Then K is called an imaginary quadratic field. The largest subring of K that is also a finitely generated abelian group is ⎧  √ ⎪ if d ≡ 3 (mod 4) ⎨ Z 1+ 2 −d OK = ⎪ ⎩ √  Z −d if d ≡ 1, 2 (mod 4), where, in these two cases, Z[δ] = {a+bδ | a, b ∈ Z}. An order in an imaginary quadratic field is a ring R such that Z ⊂ R ⊆ OK and Z = R. Such an order is a finitely generated abelian group and has the form R = Z + Zf δ, √ √ where f > 0 and where δ = (1 + −d)/2 or −d, corresponding respectively to the two cases given above. The integer f is called the conductor of R and is the index of R in OK . The discriminant of R is −f 2 d if d ≡ 3 (mod 4) DR = −4f 2 d if d ≡ 1, 2 (mod 4). It is the discriminant of the quadratic polynomial satisfied by f δ. A complex number β is an algebraic integer if it is a root of a monic polynomial with integer coefficients. The only algebraic integers in Q are the elements of Z. If β is an algebraic integer in a quadratic field, then there are integers b, c such that β 2 + bβ + c = 0. The set of algebraic integers in an imaginary quadratic field K is precisely the ring OK defined above. An order is therefore a subring (not equal to Z) of the ring of algebraic integers in K. If β ∈ C is an algebraic number (that is, a root of a polynomial with rational coefficients), then there is an integer u = 0 such that uβ is an algebraic integer. THEOREM 10.2 Let E be an elliptic curve over C. Then End(E) is isomorphic either to Z or to an order in an imaginary quadratic field.

SECTION 10.1 ELLIPTIC CURVES OVER C

PROOF

315

Let L = Zω1 + Zω2 be the lattice corresponding to E, and let R = {β ∈ C | βL ⊆ L}.

It is easy to see that Z ⊆ R and that R is closed under addition, subtraction, and multiplication. Therefore, R is a ring. Suppose β ∈ R. There exist integers j, k, m, n such that βω1 = jω1 + kω2 , Then



β − j −k −m β − n

βω2 = mω1 + nω2 . 

ω1 ω2

 = 0,

so the determinant of the matrix is 0. This implies that β 2 − (j + n)β + (jn − km) = 0. Since j, k, m, n are integers, this means that β is an algebraic integer, and that β lies in some quadratic field K. Suppose β ∈ R. Then (β − j)ω1 − kω2 = 0 gives a dependence relation between ω1 and ω2 with real coefficients. Since ω1 and ω2 are linearly independent over R, we have β = j ∈ Z. Therefore, R ∩ R = Z. Suppose now that R = Z. Let β ∈ R with β ∈ Z. Then β is an algebraic integer in a quadratic field √ K. Since β ∈ R, the field K must be imaginary quadratic, say √K = Q( −d). Let β  ∈ Z be another element of R. Then β  ∈ K  = Q( −d ) for some d . Since β + β  also must lie in a quadratic field, it follows (see Exercise 10.1) that K = K  . Therefore, R ⊂ K, and since all elements of R are algebraic integers, we have R ⊆ OK . Therefore, if R = Z, then R is an order in an imaginary quadratic field. Example 10.1 Let E be y 2 = 4x3 − 4x. We showed at the beginning of this section that Z[i] ⊆ End(E). Since End(E) is an order in Q(i) and every such order is contained in the ring Z[i] of algebraic integers in Q(i), we must have End(E) = Z[i].

Suppose from now on that E has complex multiplication, which means that R = End(E) is an order in an imaginary quadratic field K. Rescaling L does not change R, so we may consider ω2−1 L = Z + Zτ,

316

CHAPTER 10 COMPLEX MULTIPLICATION

with τ ∈ H = {z ∈ C | (z) > 0}. Let β ∈ R with β ∈ Z. Since 1 ∈ ω2−1 L, we have β · 1 = m · 1 + nτ with m, n ∈ Z and n = 0. Therefore, τ = (β − m)/n ∈ K.

(10.1)

Let u be an integer such that uτ ∈ R. Such an integer exists since τ multiplied by n is in OK , and R is of finite index in OK . Then L = uω2−1 L = Zu + Zuτ ⊆ R. Then L is a nonempty subset of R that is closed under addition and subtraction, and is closed under multiplication by elements of R (since L is a rescaling of L). This is exactly what it means for L to be an ideal of R. We have proved the first half of the following. PROPOSITION 10.3 Let R be an order in an imaginary quadratic field. Let L be a lattice such that R = End(C/L). Then there exists γ ∈ C× such that γL is an ideal of R. Conversely, if L is a subset of C and γ ∈ C× is such that γL is an ideal of R, then L is a lattice and R ⊆ End(C/L). PROOF By End(C/L), we mean End(E), where E is the elliptic curve corresponding to L under Theorem 9.10. We proved the first half of the proposition above. For the converse, assume that γL is an ideal of R. Let 0 = x ∈ γL. Then Rx ⊆ γL ⊆ R. Since R and therefore also Rx are abelian groups of rank 2 (that is, isomorphic to Z⊕Z), the same must be true for γL. This means that there exist ω1 , ω2 ∈ L such that γL = γZω1 + γZω2 . Since R contains two elements linearly independent over R, so does Rx, and therefore so does L. It follows that ω1 and ω2 are linearly independent over R. Therefore, L = Zω1 + Zω2 is a lattice. Since γL is an ideal of R, we have RγL ⊆ γL, and therefore RL ⊆ L. Therefore R ⊆ End(C/L). Note that sometimes R is not all of End(C/L). For example, suppose R = Z[2i] = {a + 2bi | a, b ∈ Z} and let L = Z[i]. Then R is an order in Q(i) and RL ⊆ L, but End(C/L) = Z[i] = R. We say that two lattices L1 , L2 are homothetic if there exists γ ∈ C× such that γL1 = L2 . We say that two ideals I1 , I2 of R are equivalent if there exists λ ∈ K × such that λI1 = I2 . Regard I1 and I2 as lattices, and suppose I1 and I2 are homothetic. Then γI1 = I2 for some γ. Choose any x = 0 in I1 .

SECTION 10.1 ELLIPTIC CURVES OVER C

317

Then γx ∈ I2 ⊂ K, so γ ∈ K. It follows that I1 and I2 are equivalent ideals. Therefore, we have a bijection Homothety classes of lattices L Equivalence classes of ←→ with RL ⊆ L nonzero ideals of R It can be shown that the set of equivalence classes of ideals is finite (when R = OK , this is just the finiteness of the class number). Therefore, the set of homothety classes is finite. This observation has the following consequence. PROPOSITION 10.4 Let R be an order in an imaginary quadratic field and let L be a lattice such that RL ⊆ L. Then j(L) is algebraic over Q. PROOF Let E be the elliptic curve corresponding to L. We may assume that E is given by an equation y 2 = 4x3 −g2 x−g3 . Let σ be an automorphism of C. Let E σ be the curve y 2 = 4x3 −σ(g2 )x−σ(g3 ). If α is an endomorphism of E, then ασ is an endomorphism of E σ , where ασ means applying σ to all of the coefficients of the rational functions describing α. This implies that End(E)  End(E σ ). Therefore, the lattice corresponding to E σ belongs to one of the finitely many homothety classes of lattices containing R in their endomorphism rings (there is a technicality here; see Exercise 10.2). Since σ(j(L)) is the j-invariant of E σ , we conclude that j(L) has only finitely many possible images under automorphisms of C. This implies (see Appendix C) that j(L) is algebraic over Q. In Section 10.3, we’ll prove the stronger result that j(L) is an algebraic integer. COROLLARY 10.5 Let K be an imaginary quadratic field. 1. Let τ ∈ H. Then C/(Zτ + Z) has complex multiplication by some order in K if and only if τ ∈ K. 2. If τ ∈ H is contained in K, then j(τ ) is algebraic. PROOF We have already shown (see (10.1)) that if there is complex multiplication by an order in K then τ ∈ K. Conversely, suppose τ ∈ K. Then τ satisfies a relation aτ 2 + bτ + c,

318

CHAPTER 10 COMPLEX MULTIPLICATION

where a, b, c are integers and a = 0. It follows that multiplication by aτ maps the lattice Lτ = Zτ + Z into itself (for example, aτ · τ = −bτ − c ∈ Lτ ). Therefore, C/Lτ has complex multiplication. This proves (1). Suppose τ ∈ K. Let R be the endomorphism ring of C/Lτ . By (1), R = Z, so R is an order in K. By Proposition 10.4, j(τ ) is algebraic. This proves (2).

10.2 Elliptic Curves over Finite Fields An elliptic curve E over a finite field Fq always has complex multiplication. In most cases, this is easy to see. The Frobenius endomorphism φq is a root of X 2 − aX + q = 0, √ √ where |a| ≤ 2 q. If |a| < 2 q, then this polynomial has only complex roots, so φq ∈ Z. Therefore, Z = Z[φq ] ⊆ End(E). √ When a = ±2 q, the ring of endomorphisms is still larger than Z, so there is complex multiplication in this case, too. In fact, as we’ll discuss below, the endomorphism ring is an order in a quaternion algebra, hence is larger than an order in a quadratic field. Recall the Hamiltonian quaternions H = {a + bi + cj + dk | a, b, c, d ∈ Q}, where i2 = j2 = k2 = −1 and ij = k = −ji. This is a noncommutative ring in which every nonzero element has a multiplicative inverse. If we allow the coefficients a, b, c, d to be real numbers or 2-adic numbers, then we still obtain a ring where every nonzero element has an inverse. However, if a, b, c, d are allowed to be p-adic numbers (see Appendix A), where p is an odd prime, then the ring contains nonzero elements whose product is 0 (see Exercise 10.4). Such elements cannot have inverses. Corresponding to whether there are zero divisors or not, we say that H is split at all odd primes and is ramified at 2 and ∞ (this use of ∞ is the common way to speak about the real numbers when simultaneously discussing p-adic numbers; see Section 8.8). In general, a definite quaternion algebra is a ring of the form Q = {a + bα + cβ + dαβ | a, b, c, d ∈ Q}, where

α2 , β 2 ∈ Q,

α2 < 0,

β 2 < 0, 2

βα = −αβ

(“definite” refers to the requirement that α < 0 and β 2 < 0). In such a ring, every nonzero element has a multiplicative inverse (see Exercise 10.5). If this

SECTION 10.2 ELLIPTIC CURVES OVER FINITE FIELDS

319

is still the case when we allow p-adic coefficients for some p ≤ ∞, then we say that the quaternion algebra is ramified at p. Otherwise, it is split at p. A maximal order O in a quaternion algebra Q is a subring of Q that is finitely generated as an additive abelian group, and such that if R is a ring with O ⊆ R ⊆ Q and such that R is finitely generated as an additive abelian group, then O = R. For example, consider the Hamiltonian quaternions H. The subring Z + Zi + Zj + Zk is finitely generated as an additive abelian group, but it is not a maximal order since it is contained in O = Z + Zi + Zj + Z

1+i+j+k . 2

(10.2)

It is not hard to show that O is a ring, and it can be shown that it is a maximal order of H. The main theorem on endomorphism rings is the following. For a proof, see [33]. THEOREM 10.6 Let E be an elliptic curve over a finite field of characteristic p. 1. If E is ordinary (that is, #E[p] = p), then End(E) is an order in an imaginary quadratic field. 2. If E is supersingular (that is, #E[p] = 1), then End(E) is a maximal order in a definite quaternion algebra that is ramified at p and ∞ and is split at the other primes. If E is an elliptic curve defined over Q and p is a prime where E has good reduction, then it can be shown that End(E) injects into End(E mod p). Therefore, if E has complex multiplication by an order R in an imaginary quadratic field, then the endomorphism ring of E mod p contains R. If E mod p is ordinary, then R is of finite index in the endomorphism ring of E mod p. However, if E mod p is supersingular, then there are many more endomorphisms, since the endomorphism ring is noncommutative in this case. The following result shows how to decide when E mod p is ordinary and when it is supersingular. THEOREM 10.7 Let E be an elliptic curve defined over Q with √ good reduction at p. Suppose E has complex multiplication by an order in Q( −D). If −D is divisible by p, or if −D is not a square mod p, then E mod p is supersingular. If −D is a nonzero square mod p, then E mod p is ordinary. For a proof, see [70, p. 182].

320

CHAPTER 10 COMPLEX MULTIPLICATION

Example 10.2 Let E be the elliptic curve y 2 = x3 − x. It has good reduction for all primes p = 2. The endomorphism ring R of E is Z[i], where i(x, y) = (−x, iy) √ (see Section 10.1). This endomorphism ring is contained in Q( −4), where we use −D = −4 since it is the discriminant of R. We know that −4 is a square mod an odd prime p if and only if p ≡ 1 (mod 4). Therefore, E mod p is ordinary if and only if p ≡ 1 (mod 4). This is exactly what we obtained in Proposition 4.37. When p ≡ 3 (mod 4), it is easy to see that the endomorphism ring of E mod p is noncommutative. Since ip = −i, we have φp (i(x, y)) = φp (−x, iy) = (−xp , −iy p ), and i(φp (x, y)) = i(xp , y p ) = (−xp , iy p ). Therefore, iφp = −φp i, so i and φp do not commute. The following result, known as Deuring’s Lifting Theorem, shows that the method given in Theorem 10.7 for obtaining ordinary elliptic curves mod p with complex multiplication is essentially the only way. Namely, it implies that an elliptic curve with complex multiplication over a finite field can be obtained by reducing an elliptic curve with complex multiplication in characteristic zero. THEOREM 10.8 Let E be an elliptic curve defined over a finite field and let α be an endo˜ defined over a finite morphism of E. Then there exists an elliptic curve E ˜ extension K of Q and an endomorphism α ˜ of E such that E is the reduction ˜ mod some prime ideal of the ring of algebraic integers of K and the of E reduction of α ˜ is α. For a proof in the ordinary case, see [70, p. 184]. It is not possible to extend the theorem to lifting two arbitrary endomorphisms simultaneously. For example, the endomorphisms i and φp in the above example cannot be simultaneously lifted to characteristic 0 since they do not commute. All endomorphism rings in characteristic 0 are commutative. Finally, we give an example of a supersingular curve in characteristic 2. In particular, we’ll show how to identify the maximal order of H in the endomorphism ring.

SECTION 10.2 ELLIPTIC CURVES OVER FINITE FIELDS

321

Example 10.3 Let E be the elliptic curve defined over F2 by y 2 + y = x3 . An easy calculation shows that E(F2 ) consists of 3 points, so a = 2 + 1 − #E(F2 ) = 2 + 1 − 3 = 0. Therefore, E is supersingular and the Frobenius endomorphism φ2 satisfies φ22 + 2 = 0. If (x, y) ∈ E(F2 ), then 2(x, y) = −φ22 (x, y) = −(x4 , y 4 ) = (x4 , y 4 + 1), since negation on E is given by −(x, y) = (x, y + 1). By Theorem 10.6, the endomorphism ring is a maximal order in a quaternion algebra ramified at only 2 and ∞. We gave such a maximal order in (10.2) above. Let’s start by finding endomorphisms corresponding to i, j, k. Let ω ∈ F4 satisfy ω 2 + ω + 1 = 0. Define endomorphisms i, j, k by i(x, y) = (x + 1, y + x + ω) j(x, y) = (x + ω, y + ω 2 x + ω) k(x, y) = (x + ω 2 , y + ωx + ω). An easy calculation shows that i(j(x, y)) = k(x, y), and that

j(i(x, y)) = −k(x, y)

i2 = k2 = k2 = −1.

A straightforward calculation yields (1 + i + j + k)(x, y) = (ωx4 , y 4 ) = φ22 (ωx, y) = −2(ω(x, y)), where ω is used to denote the endomorphism (x, y) → (ωx, y). Therefore, 1+i+j+k = −ω ∈ End(E). 2 It follows that Z + Zi + Zj + Z

1+i+j+k ⊆ End(E). 2

In fact, by Theorem 10.6, this is the whole endomorphism ring.

322

CHAPTER 10 COMPLEX MULTIPLICATION

10.3 Integrality of j-invariants At the end of Section 10.1, we showed that the j-invariant of a lattice, or of a complex elliptic curve, with complex multiplication by an order in an imaginary quadratic field is algebraic over Q. This means that the j-invariant is a root of a polynomial with rational coefficients. In the present section, we show that this j-invariant is an algebraic integer, so it is a root of a monic polynomial with integer coefficients. THEOREM 10.9 Let R be an order in an imaginary quadratic field and let L be a lattice with RL ⊆ L. Then j(L) is an algebraic integer. Equivalently, let E be an elliptic curve over C with complex multiplication. Then j(E) is an algebraic integer. The proof of the theorem will occupy the remainder of this section. The √ theorem has an amusing consequence. The ring R = Z 1+ 2−163 is a principal ideal domain (see [16]), so there is only one equivalence class of ideals of R, namely the one represented by R. The proof of Proposition 10.4 shows that all automorphisms of C must fix j(R), where R is regarded as a lattice. Therefore, j(R) ∈ Q. The only algebraic integers in Q are the elements of Z, so j(R) ∈ Z. Recall that j(τ ) is the j-invariant of the lattice Zτ + Z, and that j(τ ) =

1 + 744 + 196884q + 21493760q 2 + · · · , q

where q = e2πiτ . When τ =

√ 1+ −163 , 2

we have R = Zτ + Z and

q = −e−π

√

163

.

Therefore, −eπ Since

√

163

+ 744 − 196884e−π

196884e−π

we find that eπ eπ

√

√

163

163

√

163

√

163

+ 21493760e−2π

− 21493760e−2π

√

163

√

163

+ · · · ∈ Z.

+ · · · < 10−12 ,

differs from an integer by less than 10−12 . In fact, = 262537412640768743.999999999999250 . . . ,

as predicted. In the days when high precision calculation was not widely √ available, it was often claimed as a joke that eπ 163 was an integer. Any calculation with up to 30 places of accuracy seemed to indicate that this was

SECTION 10.3 INTEGRALITY OF j-INVARIANTS

323

the case. This was in contradiction to the Gelfond-Schneider theorem, which implies that such a number must be transcendental. We now start the proof of the theorem. If L = Zω1 + Zω2 is a lattice, we may divide by ω2 and thus assume that L = Zτ + Z, with τ ∈ H. If β ∈ R, then βL ⊆ L implies that there exist integers j, k, m, n with      τ j k τ β = . 1 mn 1 Let N = jn−km be the determinant of the matrix. Rather than concentrating only on β, it is convenient to consider all 2 × 2 matrices with determinant N simultaneously. LEMMA 10.10 Let N be a positive integer and let SN be the set of matrices of the form   ab 0d with a, b, d ∈ Z, ad = N , and 0 ≤ b < d. If M is a 2 × 2 matrix with integer entries and determinant N , then there is a unique matrix S ∈ SN such that M S −1 ∈ SL2 (Z). In other words, if we say that two matrices M1 , M2 are left SL2 (Z)-equivalent when there exists a matrix X ∈ SL2 (Z) with XM1 = M2 , then SN contains exactly one element in each equivalence class of the set of integer matrices of determinant N .  PROOF

Let

pq rs

 be an integer matrix with determinant N . Write −

x p = r y

with gcd(x, y) = 1. There exist w, z ∈ Z such that xz − wy = 1. Then   zw ∈ SL2 (Z) y x and



zw y x



pq rs



 =

∗∗ 0∗

 .

324

CHAPTER 10 COMPLEX MULTIPLICATION

Therefore, we may  assume  at the start that r = 0, and hence ps = N . By −1 0 multiplying by if necessary, we may also assume that s > 0. Choose 0 −1 t ∈ Z such that 0 ≤ q + ts < s. 

Then

1t 01



pq 0s



 =

p q + ts 0 s

 ∈ SN .

Therefore, the elements of SN represent all SL2 (Z)-equivalence classes for matrices of determinant N .   ai bi For the uniqueness, suppose that Mi = ∈ SN for i = 1, 2 are left 0 di SL2 (Z)-equivalent. Then, 

a1 /a2 (b1 a2 − a1 b2 )/N 0 d1 /d2



 =

a1 b1 0 d1



a2 b2 0 d2

−1 ∈ SL2 (Z).

Therefore, a1 /a2 and d1 /d2 are positive integers with product equal to 1, so they are both equal to 1. Consequently, a1 = a2 and d1 = d2 . This implies that b1 a1 − a1 b2 b1 a2 − a1 b2 b1 − b 2 = = . N a1 d1 d1 Since this must be an integer (because the matrix is in SL2 (Z)), we have b1 ≡ b2

(mod d1 ).

Since 0 ≤ b1 , b2 < d1 = d2 , we have b1 = b2 . Therefore, M1 = M2 . This proves the uniqueness.  For S =

ab 0d

 ∈ SN , the function  (j ◦ S)(τ ) = j

aτ + b d



is analytic in H. Define FN (X, τ ) =

(X − (j ◦ S)(τ )) =

S∈SN




ak (τ )X k ,

k

so FN is a polynomial in the variable X with coefficients ak (τ ) that are analytic functions for τ ∈ H. LEMMA 10.11 ak (M τ ) = ak (τ ) for all M ∈ SL2 (Z).

SECTION 10.3 INTEGRALITY OF j-INVARIANTS

325

PROOF If S ∈ SN , then SM has determinant N , so there exists AS ∈ SL2 (Z) and a uniquely determined MS ∈ SN such that AS MS = SM . If S1 , S2 ∈ SN and MS1 = MS2 , then −1 A−1 S1 S1 M = MS1 = MS2 = AS2 S2 M,

which implies that AS2 A−1 S1 S1 = S2 . By the uniqueness part of Lemma 10.10, S1 = S2 . Therefore, the map S → MS is an injection on the finite set SN , hence is a permutation of the set. Since j ◦ A = j for A ∈ SL2 (Z), we have

FN (X, M τ ) = (X − j(SM τ )) S∈SN

=

(X − j(AS MS τ ))

S∈SN

=

(X − j(MS τ ))

S∈SN

=

(X − j(Sτ ))

S∈SN

= FN (X, τ ). The next to last equality expresses the fact that S → MS is a permutation of SN , hence does not change the product over all of SN . Since FN is invariant under τ → M τ , the same must hold for its coefficients ak (τ ). LEMMA 10.12 For each k, there exists an integer n such that ak (τ ) ∈ q −n Z[[q]], where Z[[q]] denotes power series in q with integer coefficients. In other words, ak (τ ) can be expressed as a Laurent series with only finitely many negative terms, and the coefficients are integers. PROOF

The j-function has the expansion j(τ ) =

∞
1 + 744 + 196884q + · · · = ck q k = P (q), q k=−1

where the coefficients ck are integers (see Exercise 9.1). Therefore, j((aτ + b)/d) =

∞
k=−1

ck (ζ b e2πiaτ /d )k = P (ζ b e2πiaτ /d ),

326

CHAPTER 10 COMPLEX MULTIPLICATION

where ζ = e2πi/d . Fix a and d with ad = N . CLAIM 10.13

d−1

(X − P (ζ b e2πiaτ /d )) =

b=0

d


pk (e2πiaτ /d )X k

k=0

is a polynomial in X whose coefficients pk are Laurent series in e2πiaτ /d with integer coefficients. In the statement of the claim and in the following, a Laurent series will always be one with only finitely many negative terms (in other words, a power series plus finitely many terms with negative exponents). Everything in the claim is obvious except the fact that the coefficients of the Laurent series pk are integers. One proof of this is as follows. The coefficients of each pk lie in Z[ζ]. The Galois group of Q(ζ)/Q permutes the factors of the product, hence leaves the coefficients of pk unchanged. Therefore, they are in Q. But the elements of Z[ζ] ∩ Q are algebraic integers in Q, hence are in Z. This proves the claim. For a proof of the claim that does not use Galois theory, consider the matrix ⎛ ⎞ 0 1 0 ··· 0 ⎜0 0 1 ··· 0⎟ ⎜ ⎟ Z = ⎜ . . . . . ⎟. ⎝ .. .. .. . . .. ⎠ 1 0 0 ··· 0 Let 0 ≤ b < d and let

⎛ ⎜ ⎜ ⎜ vb = ⎜ ⎜ ⎝

1 ζb ζ 2b .. .

⎞ ⎟ ⎟ ⎟ ⎟. ⎟ ⎠

ζ b(d−1) Then Zvb = ζ b vb . It follows that P (e2πiaτ /d Z)vb = P (ζ b e2πiaτ /d )vb . Therefore, the numbers P (ζ b e2πiaτ /d ), for 0 ≤ b < d, are a complete set of eigenvalues for the d×d matrix P (e2πiaτ /d Z), so the characteristic polynomial is d−1

(X − P (ζ b e2πiaτ /d )). b=0

But the entries of the matrix P (e2πiaτ /d Z) are Laurent series in e2πiaτ /d with integer coefficients. Therefore, the coefficients of the characteristic polynomial are power series in e2πiaτ /d with integer coefficients. This proves the claim.

SECTION 10.3 INTEGRALITY OF j-INVARIANTS

327

Since ad = N for each matrix in SN , 2

e2πiaτ /d = e2πia

τ /N

.

Therefore, the pk (τ ) in the claim can be regarded as a Laurent series in e2πiτ /N . The claim implies that the coefficients ak (τ ) of FN (X, τ ) are Laurent series in e2πiτ /N with integer coefficients. To prove the lemma, we need to remove the N . The matrix   11 ∈ SL2 (Z) 01 acts on H by τ → τ + 1. Lemma 10.11 implies that ak (τ ) is invariant under τ → τ + 1. Since (e2πiτ /N ) is invariant under τ → τ + 1 only when N | , the Laurent series for ak must be a Laurent series in (e2πiτ /N )N = e2πiτ . This proves Lemma 10.12. PROPOSITION 10.14 Let f (τ ) be analytic for τ ∈ H, and suppose   aτ + b f = f (τ ) cτ + d   ab for all ∈ SL2 (Z) and all τ ∈ H. Also, assume cd f (τ ) ∈ q −n Z[[q]] for some integer n. Then f (τ ) is a polynomial in j with integer coefficients: f (τ ) ∈ Z[j]. PROOF

Recall that j(τ ) −

1 ∈ Z[[q]]. q

f (τ ) =

bn + ··· , qn

Write

with bn ∈ Z. Then f (τ ) − bn j n =

bn−1 + ··· , q n−1

with bn−1 ∈ Z. Therefore, f (τ ) − bn j n − bn−1 j n−1 =

bn−2 + ··· . q n−2

328

CHAPTER 10 COMPLEX MULTIPLICATION

Continuing in this way, we obtain g(τ ) = f (τ ) − bn j n − · · · b0 ∈ qZ[[q]] for integers bn , . . . , b0 . The function g(τ ) is analytic in H and vanishes at i∞. Also, g(τ ) is invariant under the action of SL2 (Z). Proposition 9.16 says that if g is not identically zero then a sum of the orders of g at various points is 0. But these orders are all nonnegative since g is analytic. Moreover, the order of g at i∞ is positive. Therefore the sum of the orders must be positive, hence cannot be zero. The only possibility is that g is identically zero. This means that g(τ ) = f (τ ) − bn j n − · · · b0 = 0, so f (τ ) ∈ Z[j]. Combining Lemma 10.12 and Proposition 10.14, we obtain the first part of the following. THEOREM 10.15 Let N be a positive integer. 1. There is a polynomial with integer coefficients ΦN (X, Y ) ∈ Z[X, Y ] such that the coefficient of the highest power of X is 1 and such that FN (X, τ ) = ΦN (X, j(τ )). 2. If N is not a perfect square, then HN (X) = ΦN (X, X) ∈ Z[X] is nonconstant and the coefficient of its highest power of X is ±1. PROOF know that

We have already proved the first part. For the second part, we HN (j) = ΦN (j, j) = FN (j, τ ) =

(j − j ◦ S)

S∈SN

is a polynomial in j with integer coefficients.   We need to look at the coefficient ab of the highest power of j. Let S = ∈ SN . If we expand the factor 0d j − j ◦ S as a Laurent series in e2πiτ /N , the first term for j is e−2πiτ = (e−2πiτ /N )N

SECTION 10.3 INTEGRALITY OF j-INVARIANTS

329

and the first term for j ◦ S is 2

ζ −b e−2πiaτ /d = ζ −b (e−2πiτ /N )a . Since N is not a perfect square, N = a2 . Therefore, these terms represent different powers of e2πiτ /N , so they cannot cancel each other. One of them must be the first term of the expansion of j − j ◦ S, which therefore has coefficient 1 or −ζ b . In particular, for each factor j − j ◦ S, the coefficient of the first term of the expansion is a root of unity. The coefficient of the first term of the expansion of HN (j) is the product of these roots of unity, hence a root of unity. Also, since the terms don’t cancel each other, the first term of each factor contains a negative power of e2πiτ /N . Therefore, the first term of the expansion HN (j) is a negative power of q, so HN (X) is nonconstant. Suppose HN (X) = uX  + lower terms. We know that u ∈ Z. Since the Laurent series for j starts with 1/q, HN (j) = uq − + higher terms. We have shown that u is a root of unity. Since it is an integer, u = ±1. This completes the proof of (2). The modular polynomial ΦN (X, Y ) has rather large coefficients. For example, Φ2 (X, Y ) = −X 2 Y 2 + X 3 + Y 3 + 24 · 3 · 31 XY (X + Y ) +34 · 53 · 4027 XY − 24 · 34 · 53 (X 2 + Y 2 ) +28 · 37 · 56 (X + Y ) − 212 · 39 · 59 , and Φ3 (X, Y )

= X 4 − X 3 Y 3 + 2232X 3 Y 2 − 1069956X 3 Y + 36864000X 3 +2232X 2 Y 3 + 2587918086X 2 Y 2 + 8900222976000X 2 Y +452984832000000X 2 − 1069956XY 3 + 8900222976000XY 2 −770845966336000000XY + 1855425871872000000000X + Y 4 +36864000Y 3 + 452984832000000Y 2 + 1855425871872000000000Y

For ΦN for higher N , see [50], [53], [54]. We can now prove Theorem 10.9. Let R be an order in an imaginary quadratic field and let L be a lattice with RL ⊆ L. By multiplying L by a suitable factor, we may assume that L = Z + Zτ with τ ∈ H. The √ order R is√of finite index in OK for some imaginary quadratic −d). Since√ −d ∈ OK , there is a nonzero integer n such that field K = Q( √ n −d ∈ R. Therefore, n −dL ⊆ L, so √ √ (10.3) n −d · τ = tτ + u, n −d · 1 = vτ + w

330

CHAPTER 10 COMPLEX MULTIPLICATION

for some integers t, u, v, w. Dividing the two equations yields τ=

tτ + u . vτ + w

As in the proof of Theorem 10.2, the two equations in (10.3) yield √ √ (n −d)2 − (t + w)(n −d) + (tw − uv) = 0. √ Therefore, n −d is a root of X 2 − (t + w)X + (tw − uv) and is also a root of If these are not the same polynomial, we can subtract them and X 2 + n2 d. √ find that n −d is a root of a polynomial of degree at most 1 with integer coefficients, which is impossible. Therefore the two polynomials are the same, so   t u det = tw − uv = n2 d. vw By Lemma 10.10, there exist M ∈ SL2 (Z) and S1 ∈ Sn2 d such that   t u = M S1 . vw 

Then j(τ ) = j

tτ + u vτ + w

since j ◦ M = j. Therefore,

 = j(M S1 τ ) = j(S1 τ ),

Hn2 d (j(τ )) =

(j(τ ) − j(Sτ )) = 0,

S∈Sn2 d

since j(τ ) − j(S1 τ ) = 0 is one of the factors. Assume now that d = 1. Since n2 d is not a square, Theorem 10.15 implies that the highest coefficient of Hn2 d (X) is ±1. Changing the sign of HN if necessary, we find that j(τ ) is a root of a monic polynomial with integer coefficients. This means that j(L) = √ j(τ ) is an algebraic integer. If d = 1, then K = Q(i). Replace −d in the above argument with 1 + i. The argument works with a minor modification; namely, n(1 + i) is a root of X 2 − 2nX + 2n2 . This yields tw − uv = 2n2 , which is not a square. Therefore, we can apply Theorem 10.15 to conclude that j(τ ) is an algebraic integer. This completes the proof of Theorem 10.9.

10.4 Numerical Examples Suppose we want to evaluate x=j



1+

√  −171 . 2

SECTION 10.4 NUMERICAL EXAMPLES

331

This is the j-invariant of an elliptic curve that has complex multiplication √ 1+ −171 . The others are j(τ2 ), j(τ3 ), j(τ4 ), which are given below, by Z 2   √ along with j 1+ 2−19 , which corresponds to an elliptic curve with a larger endomorphism ring. We can evaluate x numerically using Proposition 9.12. This yields √   1 + −171 j = 2 −694282057876536664.01228868670830742604436745364124466 . . . . This number is an algebraic integer by Theorem 10.9. Suppose we want a polynomial that has x as its root. One way to do this is to find the Galois conjugates of x, namely, the other roots of a polynomial satisfied by x. We’ll show how to proceed for this particular x, then describe the general method. √ Let τ0 = (1 + −171)/2. Then √ √ K = Q(τ0 ) = Q( −171) = Q( −19). Let

 R=Z

1+

√ √    1 + −19 −171 ⊂Z = OK . 2 2

The endomorphism ring of the lattice R ⊂ C is R. As we showed in the proof of Proposition 10.4, the Galois conjugates of j(R) are j-invariants of lattices with the same endomorphism ring, namely R. These have the form j(I), where I is an ideal of R. However, I cannot be an ideal for any order larger than R since then I has an endomorphism ring larger than R. If I is an ideal of R, it has the form I = γ(Zτ + Z) for some γ ∈ C× and some τ ∈ H. By an appropriate change of basis, we can assume τ ∈ F, the fundamental domain for SL2 (Z) acting on the upper half plane. See Proposition 9.15. As we saw in Equation 10.1, τ ∈ K. Let aτ 2 + bτ + c = 0, with a, b, c ∈ Z. We may assume that gcd(a, b, c) = 1 and that a > 0. The fact that I is an ideal for R but not for any larger order can be shown to imply that the discriminant is exactly −171: b2 − 4ac = −171. √ (On the other hand, the polynomial X 2 + X + 5 has a root τ = (1 + −19)/2, which corresponds to the ideal 3OK ⊂ R. This is an ideal not only of R, but also of OK .) The fact that τ ∈ F means that

332

CHAPTER 10 COMPLEX MULTIPLICATION

1. −a < b ≤ a 2. a ≤ c, 3. if a = c then b ≥ 0. The first of these expresses the condition that −1/2 ≤ (τ ) < 1/2, while the second says that |τ | ≥ 1. The case where a = c corresponds to τ lying on the unit circle, and b > 0 says that it lies on the left half. It can be shown (see [16]) that there is a one-to-one correspondence between the ideals I that we are considering (endomorphism ring exactly R) and those triples satisfying a > 0, gcd(a, b, c) = 1, b2 − 4ac = −171, and conditions (1), (2), and (3). Let’s count these triples. The strategy is to consider (b2 + 171)/4 and try to factor it as ac with a, b, c satisfying (1), (2), and (3): b (b2 + 171)/4 1 43 ±3 45 5 49

a 1 5 7

c 43 9 7

The triple (a, b, c) = (3, 3, 15), which arose in the above calculations, is not listed since gcd(a, b, c) = 1 (and it corresponds to the ideal 3OK , which is an ideal for the larger ring OK , as mentioned above). There are no values for a, c when b = ±7. When |b| ≥ 9, the condition |b| ≤ a ≤ c can no longer be satisfied. We have therefore found all triples. They correspond to values of τ , call them τ1 , τ2 , τ3 , τ4 : (a, b, c) = (1, 1, 43) ←→ τ1 = (a, b, c) = (5, 3, 9) ←→ τ2 = (a, b, c) = (5, −3, 9) ←→ τ3 = (a, b, c) = (7, 5, 7) ←→ τ4 =

√ −171 2 √ −3 + −171 √10 3 + −171 10√ −5 + −171 . 14 −1 +

Note that j(τ0 ) = j(τ1 ) since τ0 = τ1 + 1. Compute the values j(τ2 ) = −417.33569403605596400916623167906655644314607149466 . . . +i3470.100833725097578092463768970644185234184993550 . . . j(τ3 ) = −417.33569403605596400916623167906655644314607149466 . . . −i3470.100833725097578092463768970644185234184993550 . . . j(τ4 ) = 154.683676758820235444376830811774357548921993728906 . . . .

SECTION 10.4 NUMERICAL EXAMPLES

333

We can now form the polynomial (X − j(τ1 ))(X − j(τ2 ))(X − j(τ3 ))(X − j(τ4 )) = X 4 + 694282057876537344 X 3 + 472103267541360574464 X 2 +8391550371275812148084736 X − 1311901521779155773721411584. Since we are working with decimals, the numerical coefficients we obtain are not exact integers. But, since the roots j(τk ) are a complete set of Galois conjugate algebraic integers, it follows that the coefficients are true integers. Therefore, if the computations are done with enough accuracy, we can round off to obtain the above polynomial. √ We now describe the general situation. If we start with τ0 = x+yz −d , then we can use a matrix in SL2 (Z) to move τ0 to τ1 ∈ F, and we have j(τ0 ) = j(τ1 ). Therefore, let’s assume τ0 ∈ F. Find integers a, b, c such that aτ02 + bτ0 + c = 0 and a > 0, gcd(a, b, c) = 1. Let b2 −4ac = −D. Now repeat the procedure used above, with D in place of 171, and obtain values τ1 , . . . , τh . The polynomial satisfied by j(τ0 ) = j(τ1 ) is r

(X − j(τk )) ∈ Z[X].

k=1

The above techniques can be used to find elliptic curves over finite fields with given orders. For example, suppose we want an elliptic curve E over Fp , for some prime p, such that N = #E(Fp ) = 54323 (N is a prime). Because of Hasse’s theorem, we must have p fairly close to N . The strategy is to choose a prime p, then let ap = p+1−N and −D = a2p −4p. We then find the polynomial P (X) whose roots are the j-invariants of elliptic curves with complex multiplication by the order R of discriminant −D. Find a root of P (X) mod p. Such a root will be the j-invariant of an elliptic curve E mod p that has complex multiplication by R. The roots of X 2 − ap X + p = 0 lie in R (since a2p − 4p = −D) and therefore correspond to endomorphisms of E. It can be shown that one of these endomorphisms is the Frobenius map (up to sign; see below). Therefore, we have found the characteristic polynomial of the Frobenius map. It follows that #E(Fp ) = p + 1 − ap = N,

334

CHAPTER 10 COMPLEX MULTIPLICATION

as desired. There is a slight complication caused by the fact that we might end up with −ap in place of ap . We’ll discuss this below. In order to keep the number of τk ’s small, we want D, in the above notation, √ to be small. This means that we should have ap near ±2 p. A choice that works well for us is p = 54787,

ap = 465,

D = 2923.

There are six values τk , corresponding to the polynomials aX 2 + bX + c with (a, b, c) = (1, 1, 731), (17, ±1, 43), (11, ±5, 67), (29, 21, 29). We obtain a polynomial P (X) of degree 6 with integer coefficients, as above. One of the roots of P (X) mod p is j = 46514. Recall (see Section 2.7) that y 2 = x3 +

2j 3j x+ 1728 − j 1728 − j

(10.4)

is an elliptic curve E1 with j-invariant equal to j. In our case, we obtain y 2 = x3 + 10784x + 43714

(mod 54787).

The point Q = (1, 36185) lies on E1 . However, we find that 54323Q = ∞,

55253Q = ∞.

Since 55253 = p + 1 + 465, we discover that we have obtained a curve E1 with ap = −465 instead of ap = 465. This curve has complex multiplication by the order R of discriminant −D (note that −D = a2p − 4p, so the sign of ap is irrelevant for D), so it is natural for it to appear. To obtain the desired curve, we twist by a quadratic nonresidue mod p (see Exercise 4.10). A quick computation shows that 2 is not a square mod p, so we look at the curve E defined by y 2 = x3 + 4 · 10784x + 8 · 43714

(mod 54787).

This has N points mod p. Just to be sure, we can compute 54323 (3, 38039) = ∞. Since 54323 is prime, we find that 54323 divides the number of points in E(Fp ). But √ 2 · 54323 > p + 1 + 2 p, so Hasse’s theorem implies that #E(Fp ) = 54323.

SECTION 10.4 NUMERICAL EXAMPLES

335

The above technique can be used to produce an elliptic curve E and a prime p such that E(Fp ) is a desired group (when such a curve exists). For example, suppose we want E(Fp )  Z2 ⊕ Z2 ⊕ Z63 . We take N = 252,

p = 271,

ap = 20,

so N = p + 1 − ap . We choose τ=

−1 +

√

−171

2

.

As we’ll see below, this choice imposes certain congruence conditions on the Frobenius map that force E(Fp ) to have the desired form. We computed the polynomial satisfied by j(τ ) above. This polynomial has the root 5 mod 271. Putting this value into the formula (10.4) yields the elliptic curve E given by y 2 = x3 + 70x + 137

(mod 271).

It has 252 points and has complex multiplication by the order √   1 + −171 R=Z 2 of discriminant −171 = a2p − 4p. The characteristic polynomial of the Frobenius endomorphism φp is X 2 − 20X + 271, √ so φp corresponds to a root 10 ± −171. The choice of sign is irrelevant for our purposes (it corresponds to how we choose to identify R with the endomorphism ring), so we assume √ φp = 10 + −171. Therefore,

√   1 + −171 φp = 1 + 2 4 + ≡1 2

(mod 2R).

It follows that φp acts as the identity on points of order 2, so E(Fp ) has a subgroup isomorphic to Z2 ⊕ Z2 . In fact, E[2] = {∞, (40, 0), (56, 0), (175, 0)} ⊂ E(Fp ). Since 252 = 4 × 63,

E(Fp )  Z2 ⊕ Z2 ⊕ Z63 .

If we instead want the group to be cyclic of order 252, we could use R = √ Z[ −171] so that φp would not be congruent to 1 mod 2 or mod 3. We would

336

CHAPTER 10 COMPLEX MULTIPLICATION

then find a new set of τk corresponding to the discriminant −4 · 171, a new j-invariant mod p, and a new  √E.  If we had used R = Z 1+ 2−19 , then we would have obtained an elliptic curve with group isomorphic to Z6 ⊕ Z42 , since φp ≡ 1 (mod 6R ) in this case. This technique has many uses. For example, in [100], the curve E defined by y 2 = x3 + 3x − 31846 (mod 158209)

was dedicated to Arjen Lenstra on the occasion of his thesis defense on May 16, 1984. The curve satisfies E(F158209 )  Z5 ⊕ Z16 ⊕ Z1984 . (If the defense had been one month later, such a dedication would have been impossible.) Finding elliptic curves with groups that are cyclic of large prime order is very useful in cryptography (see Chapter 6). Finding elliptic curves of a given order is also useful in primality proving (see Section 7.2). A detailed discussion of the problem, with improvements on the method presented here, is given in [73]. See also [7], [8].

10.5 Kronecker’s Jugendtraum The Kronecker-Weber theorem says that if K/Q is a finite Galois extension with abelian Galois group, then K ⊆ Q(e2πi/n ) for some integer n. This can be viewed as saying that the abelian extensions of Q are generated by the values of an analytic function, namely e2πiz , at rational numbers. Kronecker’s Jugendtraum (youthful dream) is that the abelian extensions of an arbitrary number field might similarly be generated by special values of a naturally occurring function. This has been accomplished for imaginary quadratic fields. Some progress has also been made for certain other fields by Shimura using complex multiplication of abelian varieties (higher dimensional analogues of elliptic curves). If E is an elliptic curve given by y 2 = x3 + Ax + B, then its j-invariant is given by j = 6912A3 /(4A3 + 27B 2 ). Therefore, if E is defined over a field L, then the j-invariant of E is contained in L. Conversely, if j = 0, 1728 lies in some field L, then the elliptic curve y 2 = x3 +

2j 3j x+ 1728 − j 1728 − j

EXERCISES

337

is defined over L and has j-invariant equal to j ∈ L. Therefore, for any j there is an elliptic curve with j-invariant equal to j defined over the field generated by j. THEOREM √ 10.16 Let K = Q( −D) be an imaginary quadratic field, let OK be the ring of algebraic integers in K, and let j = j(OK ), where OK is regarded as a lattice in C. Let E be an elliptic curve defined over K(j) with j-invariant equal to j. 1. Assume K = Q(i), Q(e2πi/3 ). Let F be the field generated over K(j) by the x-coordinates of the torsion points in E(Q). Then F/K has abelian Galois group, and every extension of K with abelian Galois group is contained in F . 2. If K = Q(i), the result of (1) holds when F is the extension generated by the squares of the x-coordinates of the torsion points. 3. If K = Q(e2πi/3 ), the result of (1) holds when F is the extension generated by the cubes of the x-coordinates of the torsion points. For a proof, see, for example, [111, p. 135] or [103]. Note that j(OK ) is algebraic, by Proposition 10.4. The j-invariant determines the lattice for the elliptic curve up to homothety (Corollary 9.20), so an elliptic curve with invariant j(OK ) automatically has complex multiplication by OK . The x-coordinates of the torsion points are of the form ℘(r1 ω1 + r2 ω2 ),

r1 , r2 ∈ Q,

where ℘ is the Weierstrass ℘-function for the lattice for E. Therefore, the abelian extensions of K are generated by j(OK ) and special values of the function ℘. This is very much the analogue of the Kronecker-Weber theorem. There is much more that can be said on this subject. See, for example, [111] and [70].

Exercises

√ √ 10.1 Let K = Q( d) and K
= Q( d
) be quadratic fields. Let β ∈ K and β
∈ K
and assume β, β
∈ Q. Suppose that β + β
lies in a
quadratic field. Show that √ K = K . (Hint:
It suffices to consider the √

case β = a d and β = b d . Let α = β + β . Show that if α is a root of with coefficients in Q, then we can solve for √ √ √ a quadratic polynomial d, say, in terms of d
and obtain d ∈ K
.)

338

CHAPTER 10 COMPLEX MULTIPLICATION

10.2 Let R be an order in an imaginary quadratic field. Regard R as a subset of C. Show that if r ∈ R, then its complex conjugate r is also in R. This means that if L is a lattice with complex multiplication by R, then there are two ways to embed R into the endomorphisms of L, namely via the assumed inclusion of R in C and also via the complex conjugate embedding (that is, if r ∈ R and  ∈ L, define r ∗  = r). This means that when we say that R is contained in the endomorphism ring of a lattice or of an elliptic curve, we should specify which embedding we are using. For elliptic curves over C, this is not a problem, since we can implicitly regard R as a subset of C and take the action of R on L as being the usual multiplication. But for elliptic curves over fields of positive characteristic, we cannot use this complex embedding. 
√ 10.3 Use the fact that Z 1+ 2−43 is a principal ideal domain to show that eπ

√

43

is very close to an integer.

10.4 Let x = a + bi + cj + dk lie in the Hamiltonian quaternions. (a) Show that (a + bi + cj + dk)(a − bi − cj − dk) = a2 + b2 + c2 + d2 . (b) Show that if x = 0, then there exists a quaternion y such that xy = 1. (c) Show that if we allow a, b, c, d ∈ Q2 (= the 2-adics), then a2 + b2 + c2 + d2 = 0 if and only if a = b = c = d = 0. (Hint: Clearing denominators reduces this to showing that a2 + b2 + c2 + d2 ≡ 0 (mod 8) implies that a, b, c, ≡ 0 (mod 8).) (d) Show that if x, y are nonzero Hamiltonian quaternions with 2-adic coefficients, then xy = 0. (e) Let p be an odd prime. Show that the number of squares a2 mod p, including 0, is (p + 1)/2 and that the number of elements of Fp of the form 1 − b2 (mod p) is also (p + 1)/2. (f) Show that if p is a prime, then a2 + b2 + 1 ≡ 0 (mod p) has a solution a, b. (g) Use Hensel’s lemma (see Appendix A) to show that if p is an odd prime, then there exist a, b ∈ Qp such that a2 + b2 + 1 = 0. (The hypotheses of Hensel’s lemma are not satisfied when p = 2.) (h) Let p be an odd prime. Show that there are nonzero Hamiltonian quaternions x, y with p-adic coefficients such that xy = 0. 10.5 Show that a nonzero element in a definite quaternion algebra has a multiplicative inverse. (Hint: Use the ideas of parts (1) and (2) of Exercise 10.4.)

Chapter 11 Divisors

11.1 Definitions and Examples Let E be an elliptic curve defined over a field K. For each point P ∈ E(K), define a formal symbol [P ]. A divisor D on E is a finite linear combination of such symbols with integer coefficients:
D= aj [Pj ], aj ∈ Z. j

A divisor is therefore an element of the free abelian group generated by the symbols [P ]. The group of divisors is denoted Div(E). Define the degree and sum of a divisor by

aj [Pj ]) = aj ∈ Z deg( j

j

j

j



sum( aj [Pj ]) = aj Pj ∈ E(K). The sum function simply uses the group law on E to add up the points that are inside the symbols. The divisors of degree 0 form an important subgroup of Div(E), denoted Div0 (E). The sum function gives a surjective homomorphism sum : Div0 (E) → E(K). The surjectivity is because sum([P ] − [∞]) = P. The kernel consists of divisors of functions (see Theorem 11.2 below), which we’ll now describe. Assume E is given by y 2 = x3 + Ax + B. A function on E is a rational function f (x, y) ∈ K(x, y)

339

340

CHAPTER 11 DIVISORS

that is defined for at least one point in E(K) (so, for example, the rational function 1/(y 2 − x3 − Ax − B) is not allowed). The function takes values in K ∪ {∞}. There is a technicality that is probably best described by an example. Suppose y 2 = x3 − x is the equation of the elliptic curve. The function f (x, y) =

x y

is not defined at (0, 0). However, on E, y x = 2 , y x −1 which is defined and takes on the value 0 at (0, 0). Similarly, the function y/x can be changed to (x2 − 1)/y, which takes on the value ∞ at (0, 0). It can be shown that a function can always be transformed in this manner so as to obtain an expression that is not 0/0 and hence gives a uniquely determined value in K ∪ {∞}. A function is said to have a zero at a point P if it takes the value 0 at P , and it has a pole at P if it takes the value ∞ at P . However, we need more refined information, namely the order of the zero or pole. Let P be a point. It can be shown that there is a function uP , called a uniformizer at P , with u(P ) = 0 and such that every function f (x, y) can be written in the form f = urP g,

with r ∈ Z and g(P ) = 0, ∞.

Define the order of f at P by ordP (f ) = r. Example 11.1 On y 2 = x3 − x, it can be shown that the function y is a uniformizer at (0, 0). We have 1 , x = y2 2 x −1 and 1/(x2 − 1) is nonzero and finite at (0, 0). Therefore, ord(0,0) (x) = 2,

and

ord(0,0) (x/y) = 1.

This latter fact agrees with the above computation that showed that x/y vanishes at (0, 0). Example 11.2 At any finite point P = (x0 , y0 ) on an elliptic curve, the uniformizer uP can be taken from the equation of a line that passes through P but is not tangent

SECTION 11.1 DEFINITIONS AND EXAMPLES

341

to E. A natural choice is uP = x − x0 = 0 when y0 = 0 and uP = y when y0 = 0. For example, let P = (−2, 8) on the curve y 2 = x3 + 72. The line x+2=0 passes through P , so we take uP (x, y) = x + 2. The function f (x, y) = x + y − 6 vanishes at P . Let’s find its order of vanishing at P . The equation for the curve can be rewritten as (y + 8)(y − 8) = (x + 2)3 − 6(x + 2)2 + 12(x + 2). Therefore,   (x + 2)2 − 6(x + 2) + 12 f (x, y) = (x + 2) + (y − 8) = (x + 2) 1 + . y+8 The function in parentheses is finite and does not vanish at P , so ordP (f ) = 1. The function 3 t(x, y) = (x + 2) − y + 8 4 comes from the tangent line to E at P . We have   3 (x + 2)2 − 6(x + 2) + 12 t(x, y) = (x + 2) − 4 y+8   (x + 2) −4(x + 2)2 + 24(x + 2) + 3(y − 8) = 4(y + 8)   (x + 2)2 (x + 2)2 − 6(x + 2) + 12 = −4(x + 2) + 24 + 3 . 4(y + 8) y+8 The expression in parentheses is finite and does not vanish at P , so ordP (t) = 2. In general, the equation of a tangent line will yield a function that vanishes to order at least 2 (equal to 2 unless 3P = ∞ in the group law of E, in which case the order is 3). Example 11.3 The point at infinity is a little harder to deal with. If the elliptic curve E is given by y 2 = x3 + Ax + B, a uniformizer at ∞ is u∞ = x/y. This choice is motivated by the complex situation: The Weierstrass function ℘ gives the x-coordinate and 12 ℘ gives the y-coordinate. Recall that the point 0 ∈ C/L corresponds to ∞ on E. Since ℘ has a double pole at 0 and ℘ has a triple pole at 0, the quotient ℘/℘ has a simple zero at 0, hence can be used as a uniformizer at 0 in C/L.

342

CHAPTER 11 DIVISORS

Let’s compute the order of x and y. Rewriting the equation for E as  −1  2 x B A −1 =x 1+ 2 + 3 y x x shows that x/y vanishes at ∞ and that ord∞ (x) = −2 (given that x/y is a uniformizer). Since y = x · (y/x), we have ord∞ (y) = −3. Note that the orders of x and y at ∞ agree with what we expect from looking at the Weierstrass ℘-function. If f is a function on E that is not identically 0, define the divisor of f to be
ordP (f )[P ] ∈ Div(E). div(f ) = P ∈E(K)

This is a finite sum, hence a divisor, by the following. PROPOSITION 11.1 Let E be an elliptic curve and let f be a function on E that is not identically 0. 1. f has only finitely many zeros and poles 2. deg(div(f )) = 0 3. If f has no zeros or poles (so div(f ) = 0), then f is a constant. For a proof, see [42, Ch.8, Prop. 1] or [49, II, Cor. 6.10]. The complex analytic analogue of the proposition is Theorem 9.1. Note that it is important to look at points with coordinates in K. It is easy to construct nonconstant functions with no zeros or poles at the points in E(K), and it is easy to construct functions that have zeros but no poles in E(K) (see Exercise 11.1). The divisor of a function is said to be a principal divisor. Suppose P1 , P2 , P3 are three points on E that lie on the line ax + by + c = 0. Then the function f (x, y) = ax + by + c has zeros at P1 , P2 , P3 . If b = 0 then f has a triple pole at ∞. Therefore, div(ax + by + c) = [P1 ] + [P2 ] + [P3 ] − 3[∞].

SECTION 11.1 DEFINITIONS AND EXAMPLES

343

The line through P3 = (x3 , y3 ) and −P3 is x − x3 = 0. The divisor of the function x − x3 is div(x − x3 ) = [P3 ] + [−P3 ] − 2[∞].

(11.1)

Therefore,   ax + by + c div = div(ax+ by + c)− div(x − x3 ) = [P1 ] + [P2 ]− [−P3 ]− [∞]. x − x3 Since P1 + P2 = −P3 on E, this may be rewritten as   ax + by + c [P1 ] + [P2 ] = [P1 + P2 ] + [∞] + div . x − x3 The following important result is the analogue of Theorem 9.6. THEOREM 11.2 Let E be an elliptic curve. Let D be a divisor on E with deg(D) = 0. Then there is a function f on E with div(f ) = D if and only if sum(D) = ∞. PROOF We have just shown that a sum [P1 ] + [P2 ] can be replaced by [P1 + P2 ] + [∞] plus the divisor of a function, call it g. Note also that sum(div(g)) = P1 + P2 − (P1 + P2 ) − ∞ = ∞. Equation (11.1) shows that [P1 ]+[P2 ] equals 2[∞] plus the divisor of a function when P1 + P2 = ∞. Therefore, the sum of all the terms in D with positive coefficients equals a single symbol [P ] plus a multiple of [∞] plus the divisor of a function. A similar result holds for the sum of the terms with negative coefficients. Therefore, there are points P and Q on E, a function g1 , and an integer n such that D = [P ] − [Q] + n[∞] + div(g1 ). Also, since g1 is the quotient of products of functions g with sum(div(g)) = ∞, we have sum(div(g1 )) = ∞. Since deg(div(g1 )) = 0 by Proposition 11.1, we have 0 = deg(D) = 1 − 1 + n + 0 = n.

344

CHAPTER 11 DIVISORS

Therefore, D = [P ] − [Q] + div(g1 ). Also, sum(D) = P − Q + sum(div(g1 )) = P − Q. Suppose sum(D) = ∞. Then P − Q = ∞, so P = Q and D = div(g1 ). Conversely, suppose D = div(f ) for some function f . Then [P ] − [Q] = div(f /g1 ). The following lemma implies that P = Q, and hence sum(D) = ∞. This completes the proof of Theorem 11.2. LEMMA 11.3 Let P, Q ∈ E(K) and suppose there exists a function h on E with div(h) = [P ] − [Q]. Then P = Q. Since the proof is slightly long, we postpone it until the end of this section. COROLLARY 11.4 The map  sum : Div0 (E) (principal divisors) −→ E(K) is an isomorphism of groups. PROOF Since sum([P ] − [∞]) = P , the sum map from Div0 (E) to E(K) is surjective. The theorem says that the kernel is exactly the principal divisors.

Corollary 11.4 shows that the group law on E(K) corresponds to the very natural group law on Div0 (E) mod principal divisors. Example 11.4 The proof of the theorem gives an algorithm for finding a function with a given divisor (of degree 0 and sum equal to ∞). Consider the elliptic curve E over F11 given by y 2 = x3 + 4x. Let D = [(0, 0)] + [(2, 4)] + [(4, 5)] + [(6, 3)] − 4[∞].

SECTION 11.1 DEFINITIONS AND EXAMPLES

345

Then D has degree 0 and an easy calculation shows that sum(D) = ∞. Therefore, D is the divisor of a function. Let’s find the function. The line through (0, 0) and (2, 4) is y − 2x = 0. It is tangent to E at (2, 4), so div(y − 2x) = [(0, 0)] + 2[(2, 4)] − 3[∞]. The vertical line through (2, 4) is x − 2 = 0, and div(x − 2) = [(2, 4)] + [(2, −4)] − 2[∞]. Therefore,  D = [(2, −4)] + div

y − 2x x−2

 + [(4, 5)] + [(6, 3)] − 3[∞].

Similarly, we have  [(4, 5)] + [(6, 3)] = [(2, 4)] + [∞] + div

y+x+2 x−2

 ,

which yields  D = [(2, −4)] + div

y − 2x x−2



 + [(2, 4)] + div

y+x+2 x−2

 − 2[∞].

Since we have already calculated div(x − 2), we use this to conclude that     y+x+2 y − 2x + div D = div(x − 2) + div x−2 x−2   (y − 2x)(y + x + 2) = div . x−2 This function can be simplified. The numerator is (y − 2x)(y + x + 2) = y 2 − xy − 2x2 + 2y − 4x = x3 − xy − 2x2 + 2y (since y 2 = x3 + 4x) = (x − 2)(x2 − y). Therefore, D = div(x2 − y).

Proof of Lemma 11.3: Suppose P = Q and div(h) = [P ] − [Q]. Then, for any constant c, the function h − c has a simple pole at Q and therefore, by Proposition 11.1, it

346

CHAPTER 11 DIVISORS

has exactly one zero, which must be simple. Let f be any function on E. If f does not have a zero or pole at Q, then  ord (f ) (h(x, y) − h(R)) R g(x, y) = R∈E(K)

has the same divisor as f (since we are assuming that ordQ (f ) = 0, the factor for R = Q is defined to be 1). The only thing to check is that the poles of h(x, y) at Q cancel out. Each factor  has a pole at (x, y) = Q of order ordR (f ) (or a zero if ordR (f ) < 0). Since R ordR (f ) = 0, these cancel. Since f and g have the same divisor, the quotient f /g has no zeros or poles, and is therefore constant. It follows that f is a rational function of h. If f has a zero or pole at Q, the factor for R = Q in the above product is not defined. However, f · hordR (f ) has no zero or pole at Q. The above reasoning shows that it is therefore a rational function of h, so the same holds for f . We have shown that every function on E(K) is a rational function of h. In particular, x and y are rational functions of h. The following result shows that this is impossible. This contradiction means that we must have P = Q. LEMMA 11.5 Let E be an elliptic curve over K (of characteristic not 2) given by y 2 = x3 + Ax + B. Let t be an indeterminate. There are no nonconstant rational functions X(t) and Y (t) in K(t) such that Y (t)2 = X(t)3 + AX(t) + B. PROOF

Factor the cubic polynomial as x3 + Ax + B = (x − e1 )(x − e2 )(x − e3 ),

where e1 , e2 , e3 ∈ K are distinct. Suppose X(t), Y (t) exist. Write X(t) =

P1 (t) , P2 (t)

Y (t) =

Q1 (t) , Q2 (t)

where P1 , P2 , Q1 , Q2 are polynomials in t. We may assume that P1 (t), P2 (t) have no common roots, and that Q1 (t), Q2 (t) have no common roots. Substituting into the equation for E yields   Q1 (t)2 P2 (t)3 = Q2 (t)2 P1 (t)3 + AP1 (t)P2 (t)2 + BP2 (t)3 . Since the right side is a multiple of Q2 (t)2 , so is the left side. Since Q1 , Q2 have no common roots, P23 must be a multiple of Q22 . A common root of

347

SECTION 11.1 DEFINITIONS AND EXAMPLES

P2 and P13 + AP1 P22 + BP23 would be a root of P13 . Since P1 and P2 have no roots in common, this is impossible. Therefore, Q22 must be a multiple of P23 . Therefore, P23 and Q22 are multiples of each other, hence are constant multiples of each other. By adjusting P1 and Q1 if necessary, we may assume that P23 = Q22 . Canceling these from the equation yields Q21 = P13 + AP1 P22 + BP23 = (P1 − e1 P2 )(P1 − e2 P2 )(P3 − e3 P2 ). Suppose i = j and P1 − ei P2 and P1 − ej P2 have a common root r. Then r is a root of ej (P1 − ei P2 ) − ei (P1 − ej P2 ) = (ej − ei )P1

(11.2)

(P1 − ei P2 ) − (P1 − ej P2 ) = (ej − ei )P2 .

(11.3)

and of

Since ej − ei = 0, this means that r is a common root of P1 and P2 , which is a contradiction. Therefore P1 − ei P2 and P1 − ej P2 have no common roots when i = j. Since the product (P1 − e1 P2 )(P1 − e2 P2 )(P1 − e3 P2 ) is the square of a polynomial, each factor must be a square of a polynomial in K[t] (it might seem that each factor is a constant times a square, but all constants are squares in the algebraically closed field K, hence can be absorbed into the squares of polynomials). Since P23 = Q22 , we find that P2 must also be a square of a polynomial. LEMMA 11.6 Let P1 and P2 be polynomials in K[t] with no common roots. Suppose there are four pairs (ai , bi ), 1 ≤ i ≤ 4, with ai , bi ∈ K satisfying 1. for each i, at least one of ai , bi is nonzero 2. if i = j, then there does not exist c ∈ K

×

with (ai , bi ) = (caj , cbj )

3. ai P1 + bi P2 is a square of a polynomial for 1 ≤ i ≤ 4. Then P1 , P2 are constant polynomials. PROOF The assumptions imply that any two of the vectors (ai , bi ) are 2 linearly independent over K and therefore span K . Suppose that at least one of P1 , P2 is nonconstant. We may assume that P1 , P2 are chosen so that Max(deg(P1 ), deg(P2 )) > 0

348

CHAPTER 11 DIVISORS

is as small as possible. Since P1 , P2 have no common roots, it is easy to see that they must be linearly independent over K. Let ai P1 + bi P2 = Ri2 ,

1 ≤ i ≤ 4.

(11.4)

Note that when i = j, the polynomial Ri2 cannot be a constant multiple of Rj2 , since otherwise the linear independence of P1 , P2 would imply that (ai , bi ) is a constant multiple of (aj , bj ). Since the vectors (a3 , b3 ) and (a4 , b4 ) are linear combinations of (a1 , b1 ) and (a2 , b2 ), there are constants c1 , c2 , d1 , d2 ∈ K such that R32 = c1 R12 − d1 R22 ,

R42 = c2 R12 − d2 R22 .

If (c1 , d1 ) is proportional to (c2 , d2 ), then R32 is a constant times R42 , which is not possible. Therefore, (c1 , d1 ) and (c2 , d2 ) are not proportional. Moreover, since (a1 , b1 ) and (a2 , b2 ) are linearly independent, Equation (11.4) for i = 1, 2 can be solved for P1 and P2 , showing that P1 and P2 are linear combinations of R12 and R22 . Therefore, a common root of R1 and R2 is a common root of P1 and P2 , which doesn’t exist. It follows that R1 and R2 have no common roots. It follows easily (by using equations similar to (11.2) and (11.3)) that √ √ c1 R1 − d1 R2 c1 R1 + d1 R2 and have no common roots. Since their product√ is square, namely R32√ , each factor √ √ must be a square. Similarly, both c2 R1 + d2 R2 and c2 R1 − d2 R2 must be squares. Therefore, R1 , R2 are polynomials satisfying the conditions of the lemma for the pairs √ √ √ √ ( c1 , d1 ), ( c1 , − d1 ), ( c2 , d2 ), ( c2 , − d2 ). Since (c1 , d1 ) and (c2 , d2 ) are not proportional, neither of the first two pairs √ √ c , d is proportional to either of the last two pairs. If ( 1 1 ) is proportional to √ √ ( c1 , − d1 ), then either c1 or d1 is zero, which means that R32 is a constant multiple of either R12 or R22 . This cannot be the case, as pointed out above. Similarly, the last two pairs are not proportional. Equation (11.4) implies that Max(deg(P1 ), deg(P2 )) ≥ 2Max(deg(R1 ), deg(R2 )). Since R1 and R2 are clearly nonconstant, this contradicts the minimality of Max(deg(P1 ), deg(P2 )). Therefore, all polynomials P1 , P2 satisfying the conditions of the lemma must be constant. This proves Lemma 11.6. Returning to the proof of Lemma 11.5, we have polynomials P1 , P2 and pairs (1, −e1 ), (1, −e2 ), (1, −e3 ), (0, 1)

SECTION 11.2 THE WEIL PAIRING

349

satisfying the conditions of Lemma 11.6. Therefore, P1 and P2 must be constant. But X(t) = P1 /P2 is nonconstant, so we have a contradiction. This completes the proof of Lemma 11.5. As pointed out above, Lemma 11.5 completes the proof of Lemma 11.3.

11.2 The Weil Pairing The goal of this section is to construct the Weil pairing and prove its basic properties that were stated in Section 3.3. Recall that n is an integer not divisible by the characteristic of the field K, and that E is an elliptic curve such that E[n] ⊆ E(K). We want to construct a pairing en : E[n] × E[n] → µn , where µn is the set of nth roots of unity in K (as we showed in Section 3.3, the assumption E[n] ⊆ E(K) forces µn ⊂ K). Let T ∈ E[n]. By Theorem 11.2, there exists a function f such that div(f ) = n[T ] − n[∞].

(11.5)

Choose T  ∈ E[n2 ] such that nT  = T . We’ll use Theorem 11.2 to show that there exists a function g such that
div(g) = ([T  + R] − [R]). R∈E[n]

We need to verify that the sum of the points in the divisor is ∞. This  follows from the fact that there are n2 points R in E[n]. The points R in [T  + R] and [R] cancel, so the sum is n2 T  = nT = ∞. Note that g does not depend on the choice of T  since any two choices for T  differ by an element R ∈ E[n]. Therefore, we could have written

div(g) = [T  ] − [R]. nT

=T

nR=∞

Let f ◦ n denote the function that starts with a point, multiplies it by n, then applies f . The points P = T  + R with R ∈ E[n] are those points P with nP = T . It follows from (11.5) that 





 [T + R] − n [R] = div(g n ). div(f ◦ n) = n R

R

350

CHAPTER 11 DIVISORS

Therefore, f ◦ n is a constant multiple of g n . By multiplying f by a suitable constant, we may assume that f ◦ n = gn . Let S ∈ E[n] and let P ∈ E(K). Then g(P + S)n = f (n(P + S)) = f (nP ) = g(P )n . Therefore, g(P + S)/g(P ) ∈ µn . In fact, g(P + S)/g(P ) is independent of P . The proof of this is slightly technical: In the Zariski topology, g(P + S)/g(P ) is a continuous function of P and E is connected. Therefore, the map to the finite discrete set µn must be constant. Define the Weil pairing by en (S, T ) =

g(P + S) . g(P )

(11.6)

Since g is determined up to a scalar multiple by its divisor, this definition is independent of the choice of g. Note that (11.6) is independent of the choice of the auxiliary point P . The main properties of en are given in the following theorem, which was stated in Section 3.3. THEOREM 11.7 Let E be an elliptic curve defined over a field K and let n be a positive integer. Assume that the characteristic of K does not divide n. Then the Weil pairing en : E[n] × E[n] → µn satisfies the following properties: 1. en is bilinear in each variable. This means that en (S1 + S2 , T ) = en (S1 , T )en (S2 , T ) and en (S, T1 + T2 ) = en (S, T1 )en (S, T2 ) for all S, S1 , S2 , T, T1 , T2 ∈ E[n]. 2. en is nondegenerate in each variable. This means that if en (S, T ) = 1 for all T ∈ E[n] then S = ∞ and also that if en (S, T ) = 1 for all S ∈ E[n] then T = ∞. 3. en (T, T ) = 1 for all T ∈ E[n]. 4. en (T, S) = en (S, T )−1 for all S, T ∈ E[n].

SECTION 11.2 THE WEIL PAIRING

351

5. en (σS, σT ) = σ(en (S, T )) for all automorphisms σ of K such that σ is the identity map on the coefficients of E (if E is in Weierstrass form, this means that σ(A) = A and σ(B) = B). 6. en (α(S), α(T )) = en (S, T )deg(α) for all separable endomorphisms α of E. If the coefficients of E lie in a finite field Fq , then the statement also holds when α is the Frobenius endomorphism φq . (Actually, the statement holds for all endomorphisms α, separable or not. See [38].) PROOF (1) Since en is independent of the choice of P , we use (11.6) with P and with P + S1 to obtain g(P + S1 ) g(P + S1 + S2 ) g(P ) g(P + S1 ) g(P + S1 + S2 ) = g(P ) = en (S1 + S2 , T ).

en (S1 , T )en (S2 , T ) =

This proves linearity in the first variable. Suppose T1 , T2 , T3 ∈ E[n] with T1 + T2 = T3 . For 1 ≤ i ≤ 3, let fi , gi be the functions used above to define en (S, Ti ). By Theorem 11.2, there exists a function h such that div(h) = [T3 ] − [T1 ] − [T2 ] + [∞]. Equation (11.5) yields  div

f3 f1 f2

 = n div(h) = div(hn ).

Therefore, there exists a constant c ∈ K

×

such that

f3 = cf1 f2 hn . This implies that g3 = c1/n (g1 )(g2 )(h ◦ n). The definition of en yields g1 (P + S) g2 (P + S) h(n(P + S)) g3 (P + S) = g3 (P ) g1 (P ) g2 (P ) h(nP ) = en (S, T1 ) en (S, T2 ),

en (S, T1 + T2 ) =

since nS = ∞, so h(n(P + S)) = h(nP ). This proves linearity in the second variable.

352

CHAPTER 11 DIVISORS

(2) Suppose T ∈ E[n] is such that en (S, T ) = 1 for all S ∈ E[n]. This means that g(P + S) = g(P ) for all P and for all S ∈ E[n]. By Proposition 9.34, there is a function h such that g = h ◦ n. Then (h ◦ n)n = g n = f ◦ n. Since multiplication by n is surjective on E(K), we have hn = f . Therefore, n div(h) = div(f ) = n[T ] − n[∞], so div(h) = [T ] − [∞]. By Theorem 11.2, we have T = ∞. This proves half of (2). The nondegeneracy in S follows immediately from (4) plus the nondegeneracy in T . (3) Let τjT represent adding jT , so f ◦ τjT denotes the function P → f (P + jT ). The divisor of f ◦ τjT is n[T − jT ] − n[−jT ]. Therefore, ⎞ ⎛ n−1 n−1 
f ◦ τjT ⎠ = (n[(1 − j)T ] − n[−jT ]) = 0. div ⎝ j=0

j=0

n−1 This means that j=0 f ◦ τjT is constant. The nth power of the function n−1 j=0 g ◦ τjT
is the above product of f ’s composed with multiplication by n, hence is constant. Since ⎞n ⎛ n−1 n−1   ⎝ g ◦ τjT
⎠ = f ◦ n ◦ τjT
j=0

j=0

=

n−1 

(since nT  = T ).

f ◦ τjT ◦ n

j=0

n−1 Since we have proved that this last product is constant, it follows that j=0 g◦ τjT
is constant (we are again using the connectedness of E in the Zariski topology). Therefore, it has the same value at P and P + T  , so n−1 





g(P + T + jT ) =

j=0

n−1 

g(P + jT  ).

j=0

Canceling the common terms (we assume P is chosen so that all terms are finite and nonzero) yields g(P + nT  ) = g(P ). Since nT  = T , this means that en (T, T ) =

g(P + T ) = 1. g(P )

SECTION 11.2 THE WEIL PAIRING

353

(4) By (1) and (3), 1 = en (S + T, S + T ) = en (S, S) en (S, T ) en (T, S) en (T, T ) = en (S, T ) en (T, S). Therefore en (T, S) = en (S, T )−1 . (5) Let σ be an automorphism of K such that σ is the identity on the coefficients of E. Apply σ to everything in the construction of en . Then div(f σ ) = n[σT ] − n[∞] and similarly for g σ , where f σ and g σ denote the functions obtained by applying σ to the coefficients of the rational functions defining f and g (cf. Section 8.9). Therefore,   g(P + S) g σ (σP + σS) = en (σS, σT ). σ(en (S, T )) = σ = g(P ) g σ (σP ) (6) Let {Q1 , . . . , Qk } = Ker(α). Since α is a separable morphism, k = deg(α) by Proposition 2.21. Let div(fT ) = n[T ] − n[∞], and

div(fα(T ) ) = n[α(T )] − n[∞]

gTn = fT ◦ n,

n gα(T ) = fα(T ) ◦ n.

As in (3), let τQ denote adding Q. We have div(fT ◦ τ−Qi ) = n[T + Qi ] − n[Qi ]. Therefore,




div(fα(T ) ◦ α) = n

α(T

)=α(T )

=n







[T  ] − n

[Q]

α(Q)=∞

([T + Qi ] − [Qi ])

i

 = div( (fT ◦ τ−Qi )). i

For each i, choose

Qi

with

nQi

= Qi . Then

gT (P − Qi )n = fT (nP − Qi ). Consequently,



 div (gT ◦ τ−Q
i )n i



 = div( fT ◦ τ−Qi ◦ n) i

= div(fα(T ) ◦ α ◦ n) = div(fα(T ) ◦ n ◦ α) = div(gα(T ) ◦ α)n .

354

CHAPTER 11 DIVISORS

 Therefore, i gT ◦ τ−Q
i and gα(T ) ◦ α have the same divisor and hence differ by a constant C. The definition of en yields en (α(S), α(T )) = =

gα(T ) (α(P + S)) gα(T ) (α(P ))  gT (P + S − Q ) i

=



gT (P − Qi )

i

(the constant C cancels out)

en (S, T )

i

(since both P and P − Qi give the same value of en )

= en (S, T )k = en (S, T )deg(α) .

When α = φq is the Frobenius endomorphism, then (5) implies that en (φq (S), φq (T )) = φq (en (S, T )) = en (S, T )q , since φq is the qth power map on elements of Fq . From Lemma 2.20, we have that q = deg(φq ), which proves (6) when α = φq . This completes the proof of Theorem 11.7.

11.3 The Tate-Lichtenbaum Pairing In this section, we give an alternative definition of the Tate-Lichtenbaum pairing and the modified Tate-Lichtenbaum pairing, which were introduced in Chapter 3. In Section 11.6.2, we show that these two definitions are equivalent. THEOREM 11.8 Let E be an elliptic curve over Fq . Let n be an integer such that n|q − 1. Let E(Fq )[n] denote the elements of E(Fq ) of order dividing n, and let µn = {x ∈ Fq | xn = 1}. Then there are nondegenerate bilinear pairings × n

· , ·n : E(Fq )[n] × E(Fq )/nE(Fq ) → F× q /(Fq )

and τn : E(Fq )[n] × E(Fq )/nE(Fq ) → µn . The first pairing of the theorem is called the Tate-Lichtenbaum pairing. We’ll refer to τn as the modified Tate-Lichtenbaum pairing. The pairing τn is better suited for computations since it gives a definite answer, rather than a coset in F× q mod nth powers. As pointed out in Chapter 3, we should write

SECTION 11.3 THE TATE-LICHTENBAUM PAIRING

355

P, Q + nE(Fq )n , and similarly for τn , since an element of E(Fq )/nE(Fq ) has the form Q + nE(Fq ). However, we’ll simply write P, Qn and τn (P, Q). PROOF The essential idea is the following. Let P ∈ E(Fq )[n]and let ai [Qi ] div(f ) = n([P ] − [∞]). Let Q ∈ E(Fq ) and choose a divisor DQ = that is equivalent to [Q] − [∞] modulo principal divisors and that does not contain P or ∞. Then  f (Qi )ai .

P, Qn = f (DQ ) = i

However, we want to be more careful about our choices of divisors and functions, so we need a few preliminary results. Let P ∈ E(Fq )[n]. Let DP be a divisor of degree 0 such that sum(DP ) = P . This means that DP − [P ] + [∞] has degree 0 and sum equal to ∞, hence is the divisor of a function, by Theorem 11.2. Therefore, DP is equivalent to [P ] − [∞] mod principal divisors. We also assume that φ(DP ) = DP , where φ is the qth power Frobenius. This means that φ permutes the points in DP in such a way that the divisor is unchanged. This is the case, for example, if all the points occurring in DP are in E(Fq ). The next lemma shows that we have a lot of choices for choosing divisors. LEMMA 11.9 Let E be an elliptic curve over Fq and let D1 be a divisor such that φ(D1 ) = D1 . Let S ⊂ E(Fq ) be a finite set of points. Then there exists a divisor D such that φ(D) = D, the divisors D and D1 differ by a principal divisor, and D contains no points from S. d PROOF Let D1 = j=1 cj [Pj ]. Since the points Pj lie in some finite group E(Fqk ), there is an integer M ≥ 1 such that M Pj = ∞ for all j. Let m ≡ 1 (mod M ) and let T ∈ E(Fqm ). Then φm (T ) = T , so φ permutes the set {T, φ(T ), . . . , φm−1 (T )}. Let D=

m−1 d



  cj [Pj + φi (T )] − [φi (T )] .

i=0 j=1

Since φ(D1 ) = D1 , for each j we have φ(Pj ) = Pj
and cj = cj
for some j  . It follows that the summands are permuted by φ, so φ(D) = D. Since m ≡ 1 (mod M ), we have sum

m−1
i=0

 ([Pj + φ (T )] − [φ (T )]) i

i

= mPj = Pj .

356

CHAPTER 11 DIVISORS

Therefore, sum(D1 − D) = 0 and deg(D1 − D) = 0, which implies that D1 − D is principal. If D contains a point from S, then either φi (T ) ∈ S or Pj + φi (T ) ∈ S for some i, j. This means that T is in a set obtained by translating φ−i (S) by either ∞ or one of the points φ−i (Pj ). Let s = #S. There are at most m(d + 1)s points in the union of these sets. By Hasse’s theorem, E(Fqm ) contains at least q m + 1 − 2q m/2 points. Since #E(Fqm ) − m(d + 1)s → ∞ as m → ∞, we can, by varying m, choose T not in these sets and thus obtain a divisor containing no points from S. Suppose that we have chosen DP . By Theorem 11.2, there exists a function f such that div(f ) = nDP . But we want a little more. Let f φ denote the result of applying φ to the coefficients of a rational function defining f . Then φ(f (X)) = f φ (φ(X)) for all X ∈ E(Fq ). LEMMA 11.10 Let D be a principal divisor with φ(D ) = D . Then there exists f such that div(f ) = D and f φ = f (so f is defined over Fq ). PROOF

Start with any f1 (defined over Fq ) such that div(f1 ) = D . Then div(f1φ ) = φ(D ) = D = div(f1 ), ×

×

so f1φ /f1 = c ∈ Fq is constant. Choose d ∈ Fq such that c = dq−1 = φ(d)/d. Then φ(d)/d = c = f1φ /f1 . Therefore, ((1/d)f1 )φ = (1/φ(d))f1φ = (1/d)f1 . Since d is constant, the function f = (1/d)f1 has the same divisor as f1 . This proves the lemma.  Now let DQ = i ai [Qi ] be a divisor of degree 0 such that sum(DQ ) = Q and such that DP and DQ have no points in common. Assume that φ(DQ ) = DQ . Let f satisfy f φ = f and div(f ) = nDP . Define

P, Qn = f (DQ )

n (mod (F× q ) ),

where, for any function f whose divisor has no points in common with DQ , we define  f (DQ ) = f (Qi )ai . i

SECTION 11.3 THE TATE-LICHTENBAUM PAIRING

357

Note that once we have chosen DP , thefunction f is determined up to a constant multiple. Since 0 = deg(DQ ) = i ai , any such constant cancels out in the definition of the pairing. We need to see what happens when we change the choice of DP or DQ .  are divisors of degree 0 with sums P and Q, and that Suppose DP and DQ   φ(DQ ) = DQ and φ(DP ) = DP . Then DP = DP + div(g),

 DQ = DQ + div(h),

for some functions g and h. By Lemma 11.10, we may assume that g, h are defined over Fq . We have div(f  ) = nDP for some function f  defined over Fq .  has no points in common with DP and DP and that First, assume that DQ DP also has no points in common with DQ . Since div(f  ) = div(f g n ),  f  = cf g n for some constant c. Let’s use f  and DQ to define a pairing, and  denote it by · , ·n . We obtain    n  n ) = f (DQ ) g(DQ ) = f (DQ ) f (div(h)) g(DQ ) .

P, Qn = f  (DQ  Note that the constant c canceled out since deg(DQ ) = 0. We now need the following result, which is usually called Weil reciprocity.

LEMMA 11.11 Let f and h be two functions on E and suppose that div(f ) and div(h) have no points in common. Then f (div(h)) = h(div(f )). For a proof, see [59, p. 427] or [109]. In our situation, Weil reciprocity yields  n

P, Qn = f (DQ ) h(div(f )) g(DQ )  n = f (DQ ) h(DP )n g(DQ ) .

 Since φ(h(DP )) = h(φ(DP )) = h(DP ) and similarly for g(DQ ), we have  × h(DP ), g(DQ ) ∈ Fq . Therefore,

P, Qn ≡ P, Qn

n (mod (F× q ) ),

so the pairing is independent mod nth powers of the choice of DP and DQ .  could have points in comFor the general case where DP , DP and DQ , DQ  that are disjoint mon, use Lemma 11.9 to choose disjoint divisors DP and DQ from all of these divisors. Then

P, Qn ≡ P, Qn ≡ P, Qn

n (mod (F× q ) ).

358

CHAPTER 11 DIVISORS

Therefore, the pairing is independent mod nth powers of the choice of DP and DQ . If Q1 and Q2 are two points and DQ1 and DQ2 are corresponding divisors, then DQ1 + DQ2 ∼ [Q1 ] − [∞] + [Q2 ] − [∞] ∼ [Q1 + Q2 ] − [∞] where ∼ denotes equivalence of divisors mod principal divisors. The last equivalence is the fact that the sum function in Corollary 11.4 is a homomorphism of groups. Consequently,

P, Q1 + Q2 n = f (DQ1 )f (DQ2 ) = P, Q1 n P, Q2 n . Therefore, the pairing is linear in the second variable. If P1 , P2 ∈ E(Fq )[n], and DP1 , DP2 are corresponding divisors and f1 , f2 are the corresponding functions, then DP1 + DP2 ∼ [P1 ] − [∞] + [P2 ] − [∞] ∼ [P1 + P2 ] − [∞]. Therefore, we can let DP1 +P2 = DP1 + DP2 . We have div(f1 f2 ) = nDP1 + nDP2 = nDP1 +P2 , so f1 f2 can be used to compute the pairing. Therefore,

P1 + P2 , Qn = f1 (DQ )f2 (DQ ) = P1 , Qn P2 , Qn . Consequently, the pairing is linear in the first variable. The nondegeneracy is much more difficult to prove. This will follow from the main results of Sections 11.7 and 11.6.2; namely, the present pairing is the same as the pairing defined in Chapter 3, and that pairing is nondegenerate. Since F× q is cyclic of order q − 1, the (q − 1)/n-th power map gives an isomorphism × n F× q /(Fq ) −→ µn . Therefore, define

τn (P, Q) = P, Q(q−1)/n . n

The desired properties of the modified Tate-Lichtenbaum pairing τn follow immediately from those of the Tate-Lichtenbaum pairing.

11.4 Computation of the Pairings In Section 11.1, we showed how to express a divisor of degree 0 and sum ∞ as a divisor of a function. This method suffices to compute the Weil and Tate-Lichtenbaum pairings for small examples. However, for larger examples,

SECTION 11.4 COMPUTATION OF THE PAIRINGS

359

a little care is needed to avoid massive calculations. Also, the definition given for the Weil pairing involves a function g whose divisor includes contributions from all of the n2 points in E[n]. When n is large, this can cause computational difficulties. The following result gives an alternate definition of the Weil pairing en . THEOREM 11.12 Let S, T ∈ E[n]. Let DS and DT be divisors of degree 0 such that sum(DS ) = S

and

sum(DT ) = T

and such that DS and DT have no points in common. Let fS and fT be functions such that div(fS ) = nDS

and

div(fT ) = nDT .

Then the Weil pairing is given by en (S, T ) =   (Recall that f ( ai [Pi ]) = i f (Pi )ai .)

fT (DS ) . fS (DT )

The proof is given in Section 11.6.1. REMARK 11.13 Some authors define the Weil pairing as fS (DT )/fT (DS ), thus obtaining the inverse of the value we use. A natural choice of divisors is DS = [S] − [∞],

DT = [T + R] − [R]

for some randomly chosen point R. Then we have en (S, T ) =

fS (R)fT (S) . fS (T + R)fT (∞)

Example 11.5 Let E be the elliptic curve over F7 defined by y 2 = x3 + 2. Then E(F7 )[3]  Z3 ⊕ Z3 . In fact, this is all of E(F7 ). Let’s compute e3 ((0, 3), (5, 1)).

360

CHAPTER 11 DIVISORS

Let D(0,3) = [(0, 3)] − [∞],

D(5,1) = [(3, 6)] − [(6, 1)].

The second divisor was obtained by adding R = (6, 1) to (5, 1) to obtain (3, 6) = (5, 1) + (6, 1). A calculation (see Section 11.1) shows that   4x − y + 1 div(y − 3) = 3D(0,3) , div = 3D(5,1) . 5x − y − 1 Therefore, we take f(0,3) = y − 3,

f(5,1) =

4x − y + 1 . 5x − y − 1

We have   f(0,3) (3, 6) 6−3 = ≡2 f(0,3) D(5,1) = f(0,3) (6, 1) 1−3

(mod 7).

Similarly, f(5,1) (D(0,3) ) = 4 (to evaluate f(5,1) (∞), see below). Therefore, e3 ((0, 3), (5, 1)) =

4 ≡ 2 (mod 7). 2

The number 2 is a cube root of unity, since 23 ≡ 1 (mod 7). There are several ways to evaluate f(5,1) (∞). The intuitive way is to observe that y has a pole of order 3 at ∞ while x has a pole of order 2. Therefore, the terms −y in the numerator and denominator dominate as (x, y) → ∞, so the ratio goes to 1. Another way is to change to homogeneous form and use projective coordinates: f(5,1) (x : y : z) =

4x − y + z . 5x − y + z

Then f(5,1) (∞) = f(5,1) (0 : 1 : 0) = 1.

The Tate-Lichtenbaum pairing can be calculated as

P, Qn =

f (Q + R) f (R)

for appropriate f (depending on P ) and R (as long as there are enough points in E(Fq ) to choose R = P, −Q, P − Q, ∞) . We can express the Weil pairing in terms of this pairing:

T, Sn en (S, T ) = ,

S, T n

SECTION 11.4 COMPUTATION OF THE PAIRINGS

361

ignoring the ambiguities (i.e., up to nth powers) in the definition of the terms on the right side, since they cancel out. Therefore, we see that computing the Weil pairing and computing the TateLichtenbaum pairing both reduce to finding a function f with div(f ) = n[P + R] − n[R] for points P ∈ E[n] and R ∈ E and evaluating f (Q1 )/f (Q2 ) for points Q1 , Q2 . The following algorithm due to Victor Miller [83] shows how to do this efficiently. The idea is to use successive doubling (see page 18) to get to n. But the divisors j[P + R] − j[R] for j < n are not divisors of functions, so we introduce the divisors Dj = j[P + R] − j[R] − [jP ] + [∞].

(11.7)

Then Dj is the divisor of a function, by Theorem 11.2: div(fj ) = Dj .

(11.8)

Suppose we have computed fj (Q1 )/fj (Q2 ) and fk (Q1 )/fk (Q2 ). We show how to compute fj+k (Q1 )/fj+k (Q2 ). Let ax + by + c = 0 be the line through jP and kP (the tangent line if jP = kP ), and let x+d = 0 be the vertical line through (j + k)P . Then (see the proof of Theorem 11.2),   ax + by + c div = [jP ] + [kP ] − [(j + k)P ] − [∞]. x+d Therefore, 

div(fj+k ) = Dj+k

ax + by + c = Dj + Dk + div x+d   ax + by + c = div fj fk . x+d



This means that there exists a constant γ such that fj+k = γfj fk

ax + by + c . x+d

Therefore, fj+k (Q1 ) fj (Q1 ) fk (Q1 ) (ax + by + c)/(x + d)|(x,y)=Q1 = . fj+k (Q2 ) fj (Q2 ) fk (Q2 ) (ax + by + c)/(x + d)|(x,y)=Q2

(11.9)

We conclude that passing from fj and fk to fj+k can be done quite quickly.

362

CHAPTER 11 DIVISORS

For example, this means that if we know fj (Q1 )/fj (Q2 ) for j = 2i , we can quickly calculate the same expression for j = 2i+1 . Also, once we have computed some of these, we can combine them to obtain the values when j is a sum of powers of 2. This is what happens when we do successive doubling to reach n. Therefore, we can compute fn (Q1 )/fn (Q2 ) quickly. But div(fn ) = n[P + R] − n[R] − [nP ] + [∞] = n[P + R] − n[R], since nP = ∞. Therefore, fn is the function f whose values we are trying to compute, so we have completed the calculation. The above method can be described in algorithmic form as follows. Let P ∈ E[n] and let R, Q1 , Q2 be points on E. Let fj be as in (11.8). Define vj = fj (Q1 )/fj (Q2 ) to be the value of fj at the divisor [Q1 ] − [Q2 ]. 1. Start with i = n, j = 0, k = 1. Let f0 = 1 and compute f1 with divisor [P + R] − [P ] − [R] + [∞]. 2. If i is even, let i = i/2 and compute v2k = f2k (Q1 )/f2k (Q2 ) in terms of vk , using (11.9). Then change k to 2k, but do not change j. Save the pair (vj , vk ) for the new value of k. 3. If i is odd, let i = i − 1, and compute vj+k = fj+k (Q1 )/fj+k (Q2 ) in terms of vj and vk , using (11.9). Then change j to j + k, but do not change k. Save the pair (vj , vk ) for the new value of j. 4. If i = 0, go to step 2. 5. Output vj . The output will be vn = fn (Q1 )/fn (Q2 ) (this can be proved by induction). Example 11.6 Suppose we want to calculate v13 . At the end of each computation, we have the following values of i, j, k, (vj , vk ): 1. i = 13, j = 0, k = 1, (v0 , v1 ) 2. i = 12, j = 1, k = 1, (v1 , v1 ) 3. i = 6, j = 1, k = 2, (v1 , v2 ) 4. i = 3, j = 1, k = 4, (v1 , v4 ) 5. i = 2, j = 5, k = 4, (v5 , v4 ) 6. i = 1, j = 5, k = 8, (v5 , v8 )

SECTION 11.4 COMPUTATION OF THE PAIRINGS

363

7. i = 0, j = 13, k = 8, (v13 , v8 ) Example 11.7 Let E be the elliptic curve y 2 = x3 − x + 1 over F11 , and let n = 5. There are 10 points in E(F11 ). The point P = (3, 6) has order 5. Let’s compute P, P 5 . Therefore, in the definition of the TateLichtenbaum pairing, we have P = Q = (3, 6). Let DP = [(3, 6)] − [∞],

DQ = [(1, 1)] − [(0, 1)] = [Q1 ] − [Q2 ].

The divisor DQ was constructed by adding (0, 1) to Q to obtain (1, 1). This was done so that DP and DQ have no points in common. We now use the algorithm to compute fP (DQ ), where div(fP ) = 5DP . In Equation (11.7), we have R = ∞, so D0 = D1 = 0. Therefore, we take f0 = f1 = 1. The algorithm proceeds as follows. 1. Start with i = 5, j = 0, k = 1, v0 = 1, v1 = 1. 2. Since i = 5 is odd, compute vj+k = v1 , which is already known to be 1. Update the values of i, j, k to obtain i = 4, j = 1, k = 1, v1 = 1, v1 = 1. 3. Since i = 4 is even, compute the line tangent to E at kP = P . This is 4x − y + 5 = 0. The vertical line through 2kP = 2P is x + 1 = 0. Therefore, Equation (11.9) becomes  4x − y + 5  v2 = v12 · = 1 · 1 = 1. x + 1  DQ Here we performed the calculation (4x − y + 5)|DQ =

(4x − y + 5)|(1,1) (4x − y + 5)|(0,1)

=

8 =2 4

and similarly (x + 1)|DQ = 2. Update to obtain i = 2, j = 1, k = 2, v1 = 1, v2 = 1. 4. Since i = 2 is even, use the computation of 4P = 2P + 2P to obtain  x + y + 2  v4 = v2 · v 2 · = 1 · 1 · 2 = 2. x − 3  DQ Update to obtain i = 1, j = 1, k = 4, v1 = 1, v4 = 2.

364

CHAPTER 11 DIVISORS

5. Since i = 1 is odd, use the computation of 5P = P + 4P to obtain v5 = v1 · v4 · (x − 3)|DQ = 1 · 2 · (2/3) ≡ 5 (mod 11). Therefore, the Tate-Lichtenbaum pairing of P with P is 5

P, P 5 = v5 = 5 (mod (F× 11 ) ),

and the modified Tate-Lichtenbaum pairing is (11−1)/5

τ5 (P, P ) = P, P 5

≡3

(mod 11).

Note that, in contrast to the Weil pairing, the Tate-Lichtenbaum pairing of a point with itself can be nontrivial.

11.5 Genus One Curves and Elliptic Curves Let C be a nonsingular algebraic curve defined over a field K. The curve C is given as the roots in P2K of a polynomial, or as the intersection of surfaces in P3K , for example, and is assumed not to be the union of two smaller such curves. We can define divisors and divisors of functions on C in the same way as we did for elliptic curves. Let

D1 = ai [Pi ], D2 = bi [Pi ] be divisors on C. We say that D1 ≥ D2 ⇐⇒ ai ≥ bi

for all i.

We say that D1 ∼ D2 ⇐⇒ D1 − D2 = div(f )

for some function f.

For a divisor D, define L(D) = {functions f | div(f ) + D ≥ 0} ∪ {0}. Then L(D) is a vector space over K. Define (D) = dim L(D). For example, let D = 3[P ] − 2[Q]. A function f in the linear space L(D) has at most a triple pole at P and at least a double zero at Q. Also, f cannot have any poles other than at P , but it can have zeros other than at Q. PROPOSITION 11.14 Let C be a nonsingular algebraic curve defined over a field K, and let D, D1 , and D2 be divisors on C.

SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

365

1. If deg D < 0, then L(D) = 0. 2. If D1 ∼ D2 then L(D1 )  L(D2 ). 3. L(0) = K. 4. (D) < ∞. 5. If deg(D) = 0 then (D) = 0 or 1. PROOF Proposition 11.1 holds for all curves (see [38]), not just elliptic curves, and we’ll use it in this more general context throughout the present proof. For example, we need that deg(div(f )) = 0 for functions f that are not identically 0. If L = 0, then there exists f = 0 with div(f ) + D ≥ 0, which implies that deg(D) = deg(div(f ) + D) ≥ 0. This proves (1). If D1 ∼ D2 , then D1 = D2 + div(g) for some g. The map L(D1 ) → L(D2 ) f → f g is easily seen to be an isomorphism. This proves (2). If 0 = f ∈ L(0), then div(f ) ≥ 0. Since deg(div(f )) = 0, we must have div(f ) = 0, which means that f has no zeros or poles. The analogue of Proposition 11.1 says that f must be a constant. Therefore, L(0) = K and (0) = 1. This proves (3) and also proves (4) for D = 0. We can get from 0 to an arbitrary divisor by adding or subtracting one point at a time. We’ll show that each such modification changes the dimension by at most one. Therefore, the end result will be a finite dimensional vector space. Suppose that D1 , D2 are two divisors with D2 = D1 + [P ] for some point P . Then L(D1 ) ⊆ L(D2 ). Suppose there exist g, h ∈ L(D2 ) with g, h ∈ L(D1 ). Let −n be the coefficient of [P ] in D2 . Then both g and h must have order n at P . (The order of g

366

CHAPTER 11 DIVISORS

must be at least n. If it is larger, then g ∈ L(D1 ). Similarly for h.) Let u be a uniformizer at P . Write g = un g1 ,

h = u n h1

with g1 (P ) = c = 0, ∞ and h1 (P ) = d = 0, ∞. Then dg − ch = un (dg1 − ch1 ), and (dg1 − ch1 )(P ) = 0. Therefore, dg − ch has order greater than n at P , so dg − ch ∈ L(D1 ). Therefore any two such elements g, h ∈ L(D2 ) are linearly dependent mod L(D1 ). It follows that (D1 ) ≤ (D2 ) ≤ (D1 ) + 1. As pointed out above, this implies (4). To prove (5), assume deg(D) = 0. If L(D) = 0, we’re done. Otherwise, there exists 0 = f ∈ L(D). Then div(f ) + D ≥ 0

and

deg(div(f ) + D) = 0 + 0 = 0.

Therefore, div(f ) + D = 0. Since D ∼ div(f ) + D = 0, we have L(D)  L(0) = K, by (2) and (3). Therefore, (D) = 1. This proves (5). A very fundamental result concerning divisors is the following. THEOREM 11.15 (Riemann-Roch) Given an algebraic curve C, there exists an integer g (called the genus of C) and a divisor K (called a canonical divisor) such that (D) − (K − D) = deg(D) − g + 1 for all divisors D. For a proof, see [42] or [49]. The divisor K is the divisor of a differential on C. COROLLARY 11.16 deg(K) = 2g − 2.

SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

367

PROOF Letting D = 0 and D = K in the Riemann-Roch theorem, then using (3) in Proposition 11.14, yields (K) = g,

and

(K) = deg(K) − g + 2.

Therefore, deg(K) = 2g − 2, as desired. COROLLARY 11.17 If deg(D) > 2g − 2, then (D) = deg(D) − g + 1. PROOF Since deg(K − D) < 0, Proposition 11.14 (1) says that (K − D) = 0. The Riemann-Roch theorem therefore yields the result. COROLLARY 11.18 Let P, Q be points on C. If g ≥ 1 and [P ] − [Q] ∼ 0, then P = Q. PROOF By assumption, [P ] − [Q] = div(f ) for some f . Assume [P ] = [Q]. Since f n has a pole of order n at Q, and since functions with different orders of poles at Q are linearly independent, the set {1, f, f 2 , . . . , f 2g−1 } spans a subspace of L((2g − 1)[Q]) of dimension 2g. Therefore, 2g ≤ ((2g − 1)[Q]) = (2g − 1) − g + 1 = g, by Corollary 11.17. Since g ≥ 1, this is a contradiction. Therefore, P = Q.

Our goal is to show that a curve C of genus one is isomorphic over K to an elliptic curve given by a generalized Weierstrass equation. The following will be used to construct the functions needed to map from C to the elliptic curve. COROLLARY 11.19 If C has genus g = 1 and deg(D) > 0, then (D) = deg(D). PROOF

This is simply a restatement of Corollary 11.17 in the case g = 1.

368

CHAPTER 11 DIVISORS

Choose a point P ∈ C(K). If P ∈ C(K), then it is possible to perform the following construction using only numbers from K rather than from K. This corresponds to the situation in Chapter 2, where we used rational points to put certain curves into Weierstrass form. However, we’ll content ourselves with working over K. Corollary 11.19 says that (n[P ]) = n

for all n ≥ 1.

Since K ⊆ L([P ]), which has dimension 1, we have L([P ]) = K. Since (2[P ]) = 2 > ([P ]), there exists a function f ∈ L(2[P ]) having a double pole at P and no other poles. Since (3[P ]) = 3 > (2[P ]), there exists a function g ∈ L(3[P ]) with a triple pole at P and no other poles. Since functions with different order poles at P are linearly independent, we can use f and g to give bases for several of the spaces L(n[P ]): L([P ]) = span(1) L(2[P ]) = span(1, f ) L(3[P ]) = span(1, f, g) L(4[P ]) = span(1, f, g, f 2 ) L(5[P ]) = span(1, f, g, f 2 , f g). We can write down 7 functions in the 6-dimensional space L(6[P ]), namely 1, f, g, f 2 , f g, f 3 , g 2 . These must be linearly dependent, so there exist a0 , a1 , a2 , a3 , a4 , a6 ∈ K with g 2 + a1 f g + a3 g = a0 f 3 + a2 f 2 + a4 f + a6 .

(11.10)

Note that the coefficient of g 2 must be nonzero, hence can be assumed to be 1, since the remaining functions have distinct orders of poles at P and are therefore linearly independent. Similarly, a0 = 0. By multiplying f by a suitable constant, we may assume that a0 = 1. Let E be the elliptic curve defined by y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 . We have a map ψ : C(K) → E(K) Q → (f (Q), g(Q)) P → ∞.

SECTION 11.5 GENUS ONE CURVES AND ELLIPTIC CURVES

369

PROPOSITION 11.20 ψ is a bijection. PROOF

Suppose Q1 = Q2 are such that ψ(Q1 ) = ψ(Q2 ), hence f (Q1 ) = f (Q2 ) = a

and

g(Q1 ) = g(Q2 ) = b

for some a, b. Since f − a has a double pole at P and g − b has a triple pole at P , div(f − a) = [Q1 ] + [Q2 ] − 2[P ] div(g − b) = [Q1 ] + [Q2 ] + [R] − 3[P ] for some R. Subtracting yields [R] − [P ] = div((g − b)/(f − a)) ∼ 0. By Corollary 11.18, this means that R = P . Therefore, div(g − b) = [Q1 ] + [Q2 ] − 2[P ], so g has only a double pole at P . This contradiction proves that ψ is an injection. To prove surjectivity, let (a, b) ∈ E(K). We want to find P with ψ(P ) = (a, b). Since f − a has a double pole at P and since the divisor of a function has degree 0, there are (not necessarily distinct) points Q1 , Q2 ∈ C(K) such that div(f − a) = [Q1 ] + [Q2 ] − 2[P ]. For a given x-coordinate a, there are two possible y-coordinates b and b for points on E. If g(Qi ) = b for some i = 1, 2, we have ψ(Qi ) = (a, b) and we’re done. Therefore, suppose g(Q1 ) = g(Q2 ) = b . Then ψ(Q1 ) = ψ(Q2 ) = (a, b ). Since ψ is injective, Q1 = Q2 , so div(f − a) = 2[Q1 ] − 2[P ]. Let u be a uniformizing parameter at Q1 . Then f − a = u2 f1 ,

g − b = ug1

with f1 (Q1 ) = 0, ∞ and g1 (Q1 ) = ∞ (possibly g1 (Q1 ) = 0). Substituting into (11.10) and using the fact that (a, b ) ∈ E yields (ug1 )(2b + a1 a + a3 ) = u2 h

370

CHAPTER 11 DIVISORS

for some function h. Dividing by u and evaluating at Q1 shows that g1 (Q1 ) = 0

or

2b + a1 a + a3 = 0.

If g1 (Q1 ) = 0, then g − b has at least a double root at Q1 , so div(g − b ) = 2[Q1 ] + [R] − 3[P ] for some R. Therefore, div((g − b )/(f − a)) = [R] − [P ]. By Corollary 11.18, R = P . This means that g − b has only a double pole at P , which is a contradiction. Therefore, g1 (Q1 ) = 0, so   ∂ 2 3 2 (y + a1 ay + a3 y − a − a2 a − a4 a − a6 ) 0 = 2b + a1 a + a3 = . ∂y y=b


This means that b is a double root, so b = b . Therefore, ψ(Q1 ) = (a, b ) = (a, b). Therefore, ψ is surjective. It is possible to show that not only ψ, but also ψ −1 , is given by rational functions. See [109, p. 64]. Since C is assumed to be nonsingular, this implies that the equation for E is nonsingular, so E is actually an elliptic curve. It is also possible to show that elliptic curves always have genus one. Therefore, over algebraically closed fields, genus one curves, with a base point P specified, are the same as elliptic curves, with P being the origin for the group law. Over nonalgebraically closed fields, the situation is more complicated. A genus one curve C such that C(K) is nonempty is an elliptic curve, but there are genus one curves C such that C(K) is empty (see Section 8.8). These curves are not elliptic curves over K, but become elliptic curves over certain extensions of K.

11.6 Equivalence of the Definitions of the Pairings In Sections 11.2 and 11.4, we gave two definitions of the Weil pairing. In this section, we show that these definitions are equivalent. Similarly, in Sections 3.4 and 11.3, we gave two definitions of the Tate-Lichtenbaum pairing. We show these are equivalent.

SECTION 11.6 EQUIVALENCE OF THE DEFINITIONS OF THE PAIRINGS

371

11.6.1 The Weil Pairing In this section we give the proof of Theorem 11.12, which says that the two definitions of the Weil pairing are equivalent. We let en denote the pairing defined in Section 11.2 and show that it equals the alternative definition. PROOF The following proof is based on a calculation of Weil [131, pp. 240-241]. Let V, W ∈ E[n2 ]. Let div(fnV ) = n[nV ] − n[∞],

n gnV = fnV ◦ n,

be as in the definition of the Weil pairing. Define c(nV, vW ) =

fnV +nW (X) , fnV (X)fnW (X − nV )

d(V, W ) =

gnV +nW (X) , gnV (X)gnW (X − V )

where the right-hand sides are functions of the variable point X on E. The fact that the notation does not include X on the left-hand sides is justified by the following. LEMMA 11.21 c(nV, nW ) and d(V, W ) are constants, and d(V, W )n = c(nV, nW ). PROOF Using the expressions for div(fnX ), div(gX ) on page 349, we see that div(c(nV, nW )) = 0 and div(d(V, W )) = 0. Therefore, they are constants. n = fnV ◦ n, we have Since gnV d(V, W )n =

fnV +nW (nX) = c(nV, nW ), fnV (nX)fnW (nX − nV )

because c(nV, nW ) is independent of X. The next few results relate the Weil pairing to c and d. The points U, V, W represent elements of E[n2 ]. LEMMA 11.22 d(V, W + nU ) = d(V, W ) and d(V + nU, W ) = d(V, W )en (nU, nW ). PROOF Since n(W + nU ) = nW , the functions gn(W +nU ) and gnW are equal. Therefore, d(V, W + nU ) =

gnV +nW (X) = d(V, W ). gnV (X)gnW (X − V )

372

CHAPTER 11 DIVISORS

Similarly, gnV +nW (X) gnV (X)gnW (X − V − nU ) gnW (X − V ) gnV +nW (X) = gnV (X)gnW (X − V ) gnW (X − V − nU ) = d(V, W )en (nU, nW ),

d(V + nU, W ) =

where the last equality uses the definition of the Weil pairing (Equation (11.6)). LEMMA 11.23

PROOF

d(V, W )d(U + W, V ) d(U, V ) = . d(V, U ) d(V, U + W )d(W, V )

The definition of d applied twice yields

gnU +(nV +nW ) (X) = d(U, V + W )gnU (X)gnV +nW (X − U ) = d(U, V + W )gnU (X)d(V, W )gnV (X − U )gnW (X − U − V ). Similarly, g(nU +nV )+nW (X) = d(U + V, W )gnU +nV (X)gnW (X − U − V ) = d(U + V, W )d(U, V )gnU (X)gnV (X − U )gnW (X − U − V ). Since gnU +(nV +nW ) = g(nU +nV )+nW , we can cancel like terms and obtain d(U, V + W )d(V, W ) = d(U + V, W )d(U, V ).

(11.11)

Interchange U and V in (11.11) and divide to obtain d(U, V + W )d(V, W ) d(U, V ) = . d(V, U ) d(V, U + W )d(U, W )

(11.12)

Now switch V and W in 11.11, solve for d(U, W ), and substitute in (11.12) to obtain the result. LEMMA 11.24 Let S, T ∈ E[n]. Then en (S, T ) =

c(S, T ) . c(T, S)

PROOF Choose U, V ∈ E[n2 ] so that nU = S, nV = T . The left-hand side of the formula in the previous lemma does not depend on W . Therefore

SECTION 11.6 EQUIVALENCE OF THE DEFINITIONS OF THE PAIRINGS

373

we can evaluate the right-hand side at W = jU for 0 ≤ j < n and multiply the results to obtain c(nU, nV ) = c(nV, nU )



d(U, V ) d(V, U )

n =

n−1  j=0

d(V, jU )d(U + jU, V ) . d(V, U + jU )d(jU, V )

All the factors in this product cancel except some of those for j = 0 and j = n − 1. We obtain d(V, ∞)d(nU, V ) c(S, T ) = . c(T, S) d(V, nU )d(∞, V ) In the first equation of Lemma 11.22, set W = ∞ to obtain d(V, nU ) = d(V, ∞). In the second equation of Lemma 11.22, set V = ∞ and then set W = V to obtain d(nU, V ) = d(∞, V )e(nU, nV ). This yields the result. We now proceed with the proof of the theorem. The definition of c shows that en (S, T ) =

fT (X)fS (X − T ) c(S, T ) = , c(T, S) fS (X)fT (X − S)

(11.13)

which is independent of X. Let DS = [S] − [∞],

DT = [X0 ] − [X0 − T ],

where X0 is chosen so that DS and DT are disjoint divisors. Let FS (X) = fS (X) and FT (X) = 1/fT (X0 − X). Then div(FS ) = n[S] − n[∞] = nDS ,

div(FT ) = n[X0 ] − n[X0 − T ] = nDT .

Therefore, (11.13) yields en (S, T ) =

FT (DS ) . FS (DT )

This shows that the theorem is true for the choice of divisors DS and DT . We now need to consider arbitrary choices. Let DS be any divisor of degree 0 such that sum(DS ) = S and let DT be any divisor of degree 0 such that sum(DT ) = T . Then DS = div(h1 ) + DS and DT = div(h2 ) + DT for some functions h1 , h2 . Let FS = hn1 FS and FT = hn2 FT . Then nDS = div(FS ) and nDT = div(FT ). First, assume that the divisors DS and DS are disjoint from DT and DT . Then h2 (DS )n FT (DS ) h2 (div(h1 ))n h2 (DS )n FT (div(h1 ))FT (DS ) FT (DS ) = = .  FS (DT ) h1 (DT )n FS (DT ) h1 (div(h2 ))n h1 (DT )n FS (div(h2 ))FS (DT )

374

CHAPTER 11 DIVISORS

By Weil reciprocity (Lemma 11.11), h2 (div(h1 )) = h1 (div(h2 )). Also, Weil reciprocity yields h2 (DS )n = h2 (nDS ) = h2 (div(FS )) = FS (div(h2 )) and similarly h1 (DT )n = FT (div(h1 )). Therefore, we obtain FT (DS ) F  (D ) = T S = en (S, T ). FS (DT ) FS (DT ) If DS and DS are not necessarily disjoint from DT and DT , we can proceed in two steps. First, let DS = [X1 + S] − [X1 ],

DT = [Y1 + T ] − [Y1 ],

where X1 and Y1 are chosen so that DS and DS are disjoint from DT and DT and so that DS and DS are disjoint from DT and DT . The preceding argument shows that FT (DS ) F  (D ) F  (D ) = T S = T S = en (S, T ). FS (DT ) FS (DT ) FS (DT ) This completes the proof. For other proofs, see [69, Section 6.4] and [51].

11.6.2 The Tate-Lichtenbaum Pairing In Section 3.4, we defined the (modified) Tate-Lichtenbaum pairing in terms of the Weil pairing. In Section 11.3, we gave an alternative definition in terms of divisors. THEOREM 11.25 The pairings τn defined in Theorem 3.17 and Theorem 11.8 are equal. PROOF Let the notation be as in Theorem 3.17. In particular, Q ∈ E(Fq ) and nR = Q. Choose a function g such that div(g) = n[R] − [Q] − (n − 1)[∞]. Let g φ denote the function obtained by applying φ to all the coefficients of the rational function defining g, so φ(g(X)) = g φ (φX) for all points X ∈ E(Fq ). Since φ(Q) = Q, div(g φ ) = n[φ(R)] − [Q] − (n − 1)[∞].

SECTION 11.7 NONDEGENERACY OF THE TATE-LICHTENBAUM PAIRING

Therefore,

375

div(g/g φ ) = n[R] − n[φ(R)].

Let P ∈ E(Fq )[n]. By Lemma 11.9, we may choose a divisor DP of degree 0 such that sum(DP ) = P , such that DP is disjoint from ∞, Q, and R, and such that φ(DP ) = DP (this means that φ permutes the points in DP ). Let div(f ) = nDP . We assume that f is chosen as in Lemma 11.10, so f (φ(R)) = φ(f (R)). In Theorem 11.12, let S = P , T = R − φR, DS = DP , DT = [R] − [φR], FS = f , and FT = g/g φ . Then (g/g φ )(DP ) f ([R] − [φ(R)])


q−1 f (R) g(DP ) f (R) =φ , = g(DP ) f (R) g(DP )

τn (P, Q) = en (P, R − φ(R)) =

since φ raises elements of Fq to the qth power. But f (R)n f (∞) = f (div(g)) = g(div(f )) = g(DP )n , f (Q) f (∞)n where the second equality is Weil reciprocity. Therefore,
n f (R) f (Q) f (∞)n . = g(DP ) f (∞) Raising this to the power (q − 1)/n yields
τn (P, Q) =

f (R) g(DP )




q−1 =

f (Q) f (∞)

(q−1)/n

f (∞)q−1 .

But f (∞) ∈ Fq since f φ = f and φ(∞) = ∞. Therefore, f (∞)q−1 = 1. Define the divisor DQ = [Q] − [∞]. We obtain τn (P, Q) = f (DQ )(q−1)/n , as desired. Since we have shown in the proof of Theorem 11.8 that the value of τn is independent of the choice of divisors, this completes the proof.

11.7 Nondegeneracy of the Tate-Lichtenbaum Pairing In this section we prove that the Tate-Lichtenbaum pairing is nondegenerate. The proof here is partly based on a paper of Schaefer [96]. First, we make a few remarks on pairings in general.

376

CHAPTER 11 DIVISORS

Let n ≥ 1 and let A and B be two finite abelian groups (written additively) such that na = 0 for all a ∈ A and nb = 0 for all b ∈ B. Let  ,  : B × A → µn be a bilinear pairing. If we fix a ∈ A, then ψa : b −→ b, a gives a homomorphism from B to µn . Let Hom(B, µn ) denote the set of all group homomorphisms from B to µn . We can make Hom(B, µn ) into an abelian group by defining the product of α, β ∈ Hom(B, µn ) by (α · β)(b) = α(b) · β(b) for all b ∈ B. LEMMA 11.26 If B is a finite group (written additively) such that nb = 0 for all b ∈ B, then #Hom(B, µn ) = #B. PROOF

First, suppose B = Zm , with m | n. If α ∈ Hom(B, µn ), then α(1)m = α(1 + · · · + 1) = α(0) = 1.

So α(1) is one of the m elements in µm ⊆ µn . Since 1 generates Zm , the value of α(1) determines α(b) for all b. Moreover, any choice of α(1) ∈ µm determines a well-defined homomorphism by b → α(1)b . Therefore, there is a bijection between Hom(Zm , µn ) and µm , so #Hom(Zm , µn ) = m = #B. Now consider an arbitrary finite abelian group B. By Theorem B.3 (Appendix B), B Zm1 ⊕ · · · ⊕ Zms . Since nb = 0 for all b ∈ B, we must have mi |n for all i. There is a map Φ : Hom(Zm1 , µn ) ⊕ · · · ⊕ Hom(Zm1 , µn ) −→ Hom (Zm1 ⊕ · · · ⊕ Zms , µn ) , (11.14) where the isomorphism maps the s-tuple (α1 , α2 , . . . , αs ) to the homomorphism given by (b1 , b2 , . . . , bs ) −→ α1 (b1 )α2 (b2 ) · · · αs (bs ). The map α −→ (α1 , α2 , . . . , α2 ), where αi (bi ) = α(0, 0, . . . , bi , . . . , 0), is the inverse of Φ, so Φ is a bijection. Since the group on the left side of (11.14) has order m1 m2 · · · ms = #B, we obtain the lemma. Part (b) of the next lemma makes our task easier since it allows us to deduce nondegeneracy in one argument from nondegeneracy in the other.

SECTION 11.7 NONDEGENERACY OF THE TATE-LICHTENBAUM PAIRING

377

LEMMA 11.27 Assume that the pairing  ,  : B × A → µn is nondegenerate in A (that is, if b, a = 1 for all b ∈ B, then a = 0). (a) The map A → Hom(B, µn ) given by a → ψa is injective. (b) If #A = #B, then the pairing is also nondegenerate in B. PROOF Suppose ψa is the trivial homomorphism. This means that b, a = ψa (b) = 1 for all b ∈ B. The nondegeneracy in A implies that a = 0. This proves (a). Let B1 = {b ∈ B | b, a = 1 for all a ∈ A}. Then each a ∈ A gives a well-defined homomorphism βa : B/B1 → µn given by βa (b mod B1 ) = b, a. If βa is the trivial homomorphism, then b, a = 1 for all b ∈ B, which means that a = 0. Therefore, A injects into Hom(B/B1 , µn ), which has order #B/#B1 , by Lemma 11.26. Since #A = #B, we must have #B1 = 1. But B1 = 0 is exactly what it means for the pairing to be nondegenerate in B. This proves (b). A converse of part (b) of Lemma 11.27 holds. LEMMA 11.28 Suppose  ,  : B × A → µn is nondegenerate in both A and B. Then #A = #B. In fact, A Hom(B, µn ) and B Hom(A, µn ). PROOF By Lemma 11.27, we have an injection from A to Hom(B, µn ), so #A ≤ #Hom(B, µn ) = #B. Reversing the roles of A and B, we have #B ≤ #Hom(A, µn ) = #A. Therefore, #A = #B, and the injections are isomorphisms. LEMMA 11.29 Let M be a finite abelian group and let α : M → M be a homomorphism. Then #Ker α = #M/#α(M ). PROOF

By Theorem B.6 (in Appendix B), #M = (#Ker α)(#α(M )).

The result follows. The following technical lemma is the key to proving the nondegeneracy of the Tate-Lichtenbaum pairing.

378

CHAPTER 11 DIVISORS

LEMMA 11.30 Let A and B be finite abelian groups (written additively) such that nx = 0 for all x ∈ A and for all x ∈ B. Suppose that there is a nondegenerate (in both arguments) bilinear pairing  ,  : B × A → µn , where µn is the group of nth roots of unity (in some field). Let C be a subgroup of B. Define ψ : A −→




µn

c∈C

a −→ (· · · , c, a, · · · ) . Then #ψ(A) = #C. PROOF

The pairing is nondegenerate, so A  Hom(B, µn ). Clearly, Ker ψ = {a ∈ A | c, a = 1 for all c ∈ C}.

Identifying A with the set of homomorphisms from B to µn , we see that Ker ψ = {f ∈ Hom(B, µn ) | f (C) = 1}. But a homomorphism that sends C to 1 is exactly the same as a homomorphism from B/C to µn . The set of such homomorphisms has order #(B/C) = #B/#C. Therefore (see Theorem B.6 in Appendix B) #ψ(A) = #A/#Ker ψ = #A/#(B/C) = #C, since #A = #B. This proves the lemma. We can now apply the above to the elliptic curve E. Let ψ : E[n] −→




µn

P ∈E(Fq )[n]

Q −→ (· · · , en (P, Q), · · · ) . LEMMA 11.31 Let φ = φq be the qth power Frobenius endomorphism of E. Then Ker ψ = (φ − 1)E[n].

EXERCISES

PROOF

379

Let Q ∈ E[n]. Then

ψ(φQ) = (· · · , en (P, φQ), · · · ) = (· · · , en (φP, φQ), · · · )   = · · · , en (P, Q)φ , · · · = (· · · , en (P, Q), · · · )

(since φP = P for P ∈ E(Fq )[n]) (by part (5) of Theorem 11.7) (since µn ⊂ Fq )

= ψ(Q). Therefore, ψ((φ − 1)Q) = 1, so (φ − 1)E[n] ⊆ Ker ψ. By Lemma 11.30, with A = B = E[n] and C = E(Fq )[n], we have #ψ(E[n]) = #E(Fq )[n]. Let Ker (φ − 1)|E[n] denote the kernel of the restriction of φ − 1 to E[n]. Then #E(Fq )[n] = #Ker (φ − 1)|E[n] = #E[n]/#((φ − 1)E[n]) ≥ #E[n]/#(Ker ψ)

(since Ker(φ − 1) = E(Fq )) (by Lemma 11.29) (since (φ − 1)E[n] ⊆ Ker ψ)

= #ψ(E[n]) = #E(Fq )[n]. Therefore, we must have equality everywhere. In particular, Ker ψ = (φ − 1)E[n]. We can now prove that the Tate-Lichtenbaum pairing is nondegenerate. Let Q ∈ E(Fq ). Write Q = nR with R ∈ E(Fq ). Suppose that τn (P, Q) = en (P, R − φR) = 1

for all P ∈ E(Fq )[n].

Then R − φR ∈ Ker ψ = (φ − 1)E[n]. This means that there exists T ∈ E[n] such that R − φR = φT − T , hence φ(R + T ) = R + T . Since the points fixed by φ have coordinates in Fq , this implies that R + T ∈ E(Fq ). Since Q = nR = n(R + T ), we have Q ∈ nE(Fq ). Therefore, τn : E(Fq )[n] × E(Fq )/nE(Fq ) −→ µn is nondegenerate in the second variable. Since the groups E(Fq )[n] and E(Fq )/nE(Fq ) have the same order (by Lemma 11.29 with α = n), Lemma 11.27 implies that the pairing is also nondegenerate in the first variable. This completes the proof of the nondegeneracy of the Tate-Lichtenbaum pairing.

Exercises 11.1 Let E be the elliptic curve y 2 = x3 − x over Q. (a) Show that f (x, y) = (y 4 + 1)/(x2 + 1)3 has no zeros or poles in E(Q).

380

CHAPTER 11 DIVISORS

(b) Show that g(x, y) = y 4 /(x2 + 1)3 has no poles in E(Q) but does have zeros in E(Q). (c) Find the divisors of f and g (over Q). 11.2 Let E be an elliptic curve over a field K and let m, n be positive integers that are not divisible by the characteristic of K. Let S ∈ E[mn] and T ∈ E[n]. Show that emn (S, T ) = en (mS, T ). 11.3 Suppose f is a function on an algebraic curve C such that div(f ) = [P ] − [Q] for points P and Q. Show that f gives a bijection of C with P1 . 11.4 Show that part (3) of Proposition 11.1 follows from part (2). (Hint: Let P0 be any point and look at the function f − f (P0 ).)

Chapter 12 Isogenies Isogenies, which are homomorphisms between elliptic curves, play a fundamental role in the theory of elliptic curves since they allow us to relate one elliptic curve to another. In the first section, we describe the analytic theory over the complex numbers. In subsequent sections, we obtain similar results in the algebraic setting. Finally, we sketch how isogenies can be used to count points on elliptic curves over finite fields.

12.1 The Complex Theory Let E1 = C/L1 and E2 = C/L2 be elliptic curves over C. Let α ∈ C be such that αL1 ⊆ L2 . Then [α] : E1 −→ E2 z −→ αz gives a homomorphism from E1 to E2 (we need αL1 ⊆ L2 to make the map well-defined). A map of the form [α] with α = 0 is called an isogeny from E1 to E2 . If there exists an isogeny from E1 to E2 , we say that E1 and E2 are isogenous. LEMMA 12.1 If α = 0, then αL1 is of finite index in L2 . PROOF

(k)

(k)

Let {ω1 , ω2 } be a basis for Lk , for k = 1, 2. Write (1)

αωi

(2)

(2)

= ai1 ω1 + ai2 ω2

with aij ∈ Z. If det(aij ) = 0 then (a11 , a12 ) is a rational multiple of (a21 , a22 ), (1) (1) which implies that αω1 is a rational multiple of αω2 . This is impossible (1) (1) since ω1 and ω2 are linearly independent over R. 381

382

CHAPTER 12 ISOGENIES (k)

Regard each ωi as a two-dimensional vector over R. Then the area of the (k) (k) fundamental parallelogram of Lk is | det(ω1 , ω2 )|. Since  

(1) (1) (2) (2) = det(aij ) det ω1 , ω2 , det αω1 , αω2 the index of αL1 in L2 , which is the ratio of the areas of the fundamental parallelograms, equals | det(aij )|. REMARK 12.2 A potential source of confusion is the following. Suppose a lattice L1 is contained in L2 , so L2 is a larger lattice than L1 . Let F1 and F2 be fundamental parallelograms for these lattices. Then F2 is smaller than F1 . For example, let L1 = 2Z + 2iZ and L2 = Z + iZ. Then L1 ⊂ L2 . The unit square is a fundamental parallelogram for L2 , while the square with corners at 0, 2, 2i, 2 + 2i is a fundamental parallelogram for L1 . Define the degree of [α] to be the index [L2 : αL1 ]. If α = 0, define the degree to be 0. If N is the degree, we say that C/L1 and C/L2 are N isogenous. The existence of the dual isogeny, defined below, shows that if E1 and E2 are N -isogenous, then E2 and E1 are N -isogenous, so this relation is symmetric. PROPOSITION 12.3 If α = 0, then #Ker([α]) = deg([α]). PROOF

Let z ∈ C. Then [α](z) = 0 ⇐⇒ αz ∈ L2 , so Ker([α]) = α−1 L2 /L1 L2 /αL1 ,

where the isomorphism is given by multiplication by α. Therefore, the order of the kernel is the index, which is the degree. If Ker([α]) = α−1 L2 /L1 is cyclic, we say that [α] is a cyclic isogeny. In general, Ker([α]) is a finite abelian group with at most two generators (coming from the generators of L2 ), so it has the form Zn1 ⊕ Zn2 with n1 |n2 (see Appendix B). Therefore, the isogeny equals multiplication by n1 on E1 composed with a cyclic isogeny whose kernel has order n2 /n1 (Exercise 12.2). Let α = 0 and let N = deg([α]). Define the dual isogeny  : C/L2 −→ C/L1 [α] to be the map given by multiplication by N/α. We need to show this is well defined: Since N = [L2 : αL1 ], we have N L2 ⊆ αL1 . Therefore, (N/α)L2 ⊆ L1 , as desired.

SECTION 12.1 THE COMPLEX THEORY

383

We have the fundamental relation:  ◦ [α] = deg([α]), [α] where the integer deg([α]) denotes integer multiplication on C/L1 . It is easy to show (see Exercise 12.3) that   = [α] [α] and that

 = deg([α])  = deg([α]), [α] ◦ [α]

which is integer multiplication on C/L2 . A situation that arises frequently is when α = 1. This means that we have L1 ⊆ L2 and the isogeny is simply the map z mod L1 −→ z mod L2 . The kernel is L2 /L1 . An arbitrary isogeny [α] can be reduced to this situation by composing with the isomorphism C/L2 → C/α−1 L2 given by multiplication by α−1 . PROPOSITION 12.4 Let C ⊂ E1 = C/L be a finite subgroup. Then there exist an elliptic curve E2 = C/L2 and an isogeny from E1 to E2 whose kernel is C. PROOF C can be written as L2 /L1 for some subgroup L2 of C containing L1 . If N is the order of C, then N L2 ⊆ L1 , so L1 ⊆ L2 ⊆ (1/N )L1 . By the discussion following Theorem B.5 in Appendix B, L2 is a lattice. Therefore, C/L1 → C/L2 is the desired isogeny. Given two elliptic curves and an integer N , there is a way to decide if they are N -isogenous. Recall the modular polynomial ΦN (X, Y ) (see Theorem 10.15 and page 324), which satisfies  ΦN (j(τ1 ), j(τ2 )) = (j(τ1 ) − j(S(τ2 ))) ,  where SN is the set of matrices ad = N and 0 ≤ b < d.

S∈SN

ab 0d



with a, b, d positive integers satisfying

THEOREM 12.5 Let N be a positive integer and let ΦN (X, Y ) be the N th modular polynomial, as in Theorem 10.15. Let Ei = C/Li have j-invariant ji for i = 1, 2. Then E1 is N -isogenous to E2 if and only if ΦN (j1 , j2 ) = 0.

384

CHAPTER 12 ISOGENIES

PROOF

Write jk = j(τk ) for  someτk . Suppose ΦN (j1 , j2 ) = 0. Then ab j(τ1 ) = j(S(τ2 )) for some S = ∈ SN . By Corollary 9.19, there 0d   s t exists M = ∈ SL2 (Z) such that (sτ1 + t)/(uτ1 + v) = S(τ2 ). Writing uv τ1 = ω1 /ω2 for some basis {ω1 , ω2 } of L1 , we see that (sω1 +tω2 )/(uω1 +vω2 ) = S(τ2 ). But {sω1 + tω2 , uω1 + vω2 } is another basis for L1 since M ∈ SL2 (Z). (i) (i) We conclude that there exist bases {ω1 , ω2 } of Li , for i = 1, 2, such that (1)

(2)

ω1

(1)

ω2 (2)

(2)

(2)

aω1 + bω2

= S(τ2 ) =

.

(2)

dω2

(1)

(1)

(2)

(1)

Let α = (aω1 + bω2 )/ω1 . Then αω2 = dω2 . Therefore αωi , for i = 1, 2, is a linear combination with integer coefficients of the basis elements of L2 , so αL1 ⊆ L2 . As we saw  in the proof of Lemma 12.1, the index ab [L2 : αL1 ] is the determinant of , which is N . Therefore, [α] gives an 0d N -isogeny from C/L1 to C/L2 . Conversely, suppose that there is an N -isogeny [α] from C/L1 to C/L2 . Write     (1) (2) ω1 ω1 α = (aij ) , (1) (2) ω2 ω2 as in Lemma 12.1. By Lemma 10.10, we can write      a11 a12 b11 b12 ab = a21 a22 b21 b22 0d with (bij ) ∈ SL2 (Z). Let 

Then

ω1 ω2

 α

Therefore,





ω1 ω2

−1

= (bij ) 

 =

(2)

ab 0d

(2)

(2)



(2)

ω1 aω1 + bω2 = (2) ω2 dω2

(1)



ω1 (1) ω2

=

(2)

ω1 (2) ω2

.  .

aτ2 + b , d

where τ2 = ω1 /ω2 . The fact that (bij ) ∈ SL2 (Z) implies that {ω1 , ω2 } is a basis of L1 . Since j1 = j(ω1 /ω2 ), we obtain   ab j1 = j(S(τ2 )), where S = . 0d

SECTION 12.1 THE COMPLEX THEORY

385

Therefore, ΦN (j1 , j2 ) = 0. Example 12.1 The curve E1 : y 2 = 4(x3 − 2x + 1) has j-invariant j1 = 55296/5 and the curve E2 : y 2 = 4(x3 − 7x − 6) has j2 = 148176/25. A calculation (the polynomial Φ2 is given on page 329) shows that   55296 148176 , Φ2 = 0, 5 25 so there is a 2-isogeny from E1 to E2 . The AGM method (Section 9.4.1) allows us to compute the period lattices: L1 = Z(2.01890581997842 . . . )i + Z(2.96882494684477 . . . ) L2 = Z(2.01890581997842 . . . )i + Z(1.48441247342238 . . . ). The real period for E1 is twice the real period for E2 , and the complex periods are equal. The map C/L1 → C/L2 given by z → z gives the 2-isogeny. There is also a 2-isogeny C/L2 → C/L1 given by z → 2z. We have the factorization       148176 132304644 55296 236276 Φ2 x, = x− x− x− . 25 5 5 125 Therefore, E2 is also isogenous to elliptic curves with j-invariants 132304644/5 and 236276/125. We now prove that all nonconstant maps between elliptic curves over C are linear. This has the interesting consequence that a nonconstant map taking 0 to 0 is of the form [α], hence is a homomorphism. THEOREM 12.6 Let E1 = C/L1 and E2 = C/L2 be elliptic curves over C. Suppose that f : E1 → E2 is an analytic map (that is, f can be expressed as a power series in a neighborhood of each point of E1 ). Then there exist α, β ∈ C such that f (z mod L1 ) = αz + β mod L2 for all z ∈ C. In particular, if f (0 mod L1 ) = 0 mod L2 and f is not the 0-map, then f is an isogeny. PROOF

We can lift f to a continuous map f˜ : C → C satisfying f (z mod L1 ) = f˜(z) mod L2

for all z ∈ C (see Exercise 12.13). Moreover, f˜ can be expressed as a power series in the neighborhood of each point in C (this is the definition of f being

386

CHAPTER 12 ISOGENIES

an analytic map). Let ω ∈ L1 . Then the function f˜(z + ω) − f˜(z) reduces to 0 mod L2 . Since it is continuous and takes values in the discrete set L2 , it is constant. Therefore, its derivative is 0, so f˜ (z + ω) = f˜ (z) for all z. This means that f˜ is a holomorphic doubly periodic function, hence constant, by Theorem 9.1. Therefore, f˜(z) = αz + β for some α, β, as desired.

In anticipation of the algebraic situation, and recalling that endomorphisms of elliptic curves are given by rational functions, we prove the following. PROPOSITION 12.7 Let E1 = C/L1 and E2 = C/L2 be elliptic curves over C, let ℘i (z) be the Weierstrass ℘-function for Ei , and let [α] be an isogeny from E1 to E2 . Then there are rational functions R1 (x), R2 (x) such that ℘2 (αz) = R1 (℘1 (z)) ,

℘2 (αz) = ℘1 (z)R2 (℘1 (z)) .

PROOF We have αL1 ⊆ L2 . Let f (z) = ℘2 (αz). Let ω ∈ L1 . Then αω ∈ L2 , so f (z + ω) = ℘2 (αz + αω) = ℘2 (αz) = f (z) for all z. Therefore, z → ℘2 (αz) is a rational function of ℘1 and ℘1 by Theorem 9.3. In fact, the end of the proof of Theorem 9.3 shows that, since ℘2 (αz) is an even function, it is a rational function of ℘1 (z). Differentiation yields the statement about ℘2 (αz). Recall that z mod L1 corresponds to (℘1 (z), ℘1 (z) ) on the curve E1 : y12 = 4x31 − g2 x1 − g3 . The proposition says that [α] : E1 → E2 corresponds to (x1 , y1 ) −→ (x2 , y2 ) = (R1 (x1 ), y1 R2 (x1 )) .

12.2 The Algebraic Theory Let E1 : y12 = x31 + A1 x1 + B1 and E2 : y22 = x32 + A2 x2 + B2 be elliptic curves over a field K (later we will also work with generalized Weierstrass equations). An isogeny from E1 to E2 is a nonconstant homomorphism α : E1 (K) → E2 (K) that is given by rational functions. This means that α(P + Q) = α(P ) + α(Q) for all P, Q ∈ E1 (K) and that there are rational

SECTION 12.2 THE ALGEBRAIC THEORY

387

functions R1 , R2 such that if α(x1 , y1 ) = (x2 , y2 ), then x2 = R1 (x1 , y1 ),

y2 = R2 (x1 , y1 )

for all but finitely many (x1 , y1 ) ∈ E1 (K). The technicalities for the points where R1 and R2 are not defined are dealt with in the same way as for endomorphisms, as in Section 2.9. In fact, when E1 = E2 , an isogeny is a nonzero endomorphism. As in Section 2.9, we may write α in the form (x2 , y2 ) = α(x1 , y1 ) = (r1 (x1 ), y1 r2 (x1 )) , where r1 , r2 are rational functions. If the coefficients of r1 , r2 lie in K, we say that α is defined over K. Write r1 (x) = p(x)/q(x) with polynomials p(x) and q(x) that do not have a common factor. Define the degree of α to be deg(α) = Max{deg p(x), deg q(x)}. If the derivative r1 (x) is not identically 0, we say that α is separable. PROPOSITION 12.8 Let α : E1 → E2 be an isogeny. If α is separable, then deg α = #Ker(α). If α is not separable, then deg α > #Ker(α). In particular, the kernel of an isogeny is a finite subgroup of E1 (K). PROOF

The proof is identical to the proof of Proposition 2.21.

PROPOSITION 12.9 Let α : E1 → E2 be an isogeny. Then α : E1 (K) → E2 (K) is surjective. PROOF

The proof is identical to the proof of Theorem 2.22.

Example 12.2 Let p be an odd prime, let A1 , B1 be in a field of characteristic p, and let E1 : y12 = x31 + A1 x1 + B1 and E2 : y22 = x32 + Ap1 x2 + B1p . Define φ by (x2 , y2 ) = φ(x1 , y1 ) = (xp1 , y1p ).

388

CHAPTER 12 ISOGENIES

Suppose x1 , y1 ∈ K satisfy y12 = x31 + A1 x1 + B1 . Raising this equation to the p-th power yields (y1p )2 = (xp1 )3 + Ap1 (xp1 ) + B1p . Since x2 = xp1 and y2 = y1p , this means that φ maps E1 (K) to E2 (K). It is easy to see that φ is a homomorphism (as in Lemma 2.20). We have r1 (x) = xp

and

r2 (x) = (y 2 )(p−1)/2 = (x3 + A1 x + B1 )(p−1)/2 .

Therefore, deg(φ) = deg r1 = p. If Q = ∞ is a point of E1 , then φ(Q) = ∞, so Ker(φ) is trivial. The fact that the degree is larger than the cardinality of the kernel corresponds to the fact that φ is not separable. Example 12.3 Let E1 : y12 = x31 +ax21 +bx1 be an elliptic curve over some field of characteristic not 2. We require b = 0 and a2 − 4b = 0 in order to have E1 nonsingular. Then (0, 0) is a point of order 2. Let E2 be the elliptic curve y22 = x32 − 2ax22 + (a2 − 4b)x2 . Define α by  2  y1 y1 (x21 − b) (x2 , y2 ) = α(x1 , y1 ) = , . x21 x21 It is straightforward to check that α maps points of E1 (K) to points of E2 (K). It is more difficult to show that α is a homomorphism. However, this fact follows from Theorem 12.10 below. (We need to verify that α(∞) = ∞. For this, see Exercise 12.4.) We have x3 + ax2 + bx x2 + ax + b , r1 (x) = = 2 x x so deg α = 2 and α is separable. This means that there are two points in the kernel. Writing r1 (x) = x + a + (b/x), we see that these two points must be ∞ and (0, 0), since all other points have finite images (for another proof that α(0, 0) = ∞, see Exercise 12.5). THEOREM 12.10 Let E1 and E2 be elliptic curves over a field K. Let α : E1 (K) → E2 (K) be a nonconstant map given by rational functions. If α(∞) = ∞, then α is a homomorphism, and therefore an isogeny. PROOF

Recall that, by Corollary 11.4, there are group isomorphisms ψi : Ei (K) −→ Div0 (Ei )/(principal divisors)

given by P → [P ] − [∞]. Define α∗ : Div0 (E1 ) → Div0 (E2 ) by bj [Pj ] −→ bj [α(Pj )]. α∗ :

SECTION 12.2 THE ALGEBRAIC THEORY

389

Clearly, α∗ is a group homomorphism. LEMMA 12.11 α∗ maps principal divisors to principal divisors. PROOF Writing (x2 , y2 ) = α(x1 , y1 ), where (xi , yi ) are coordinates for Ei , allows us to regard K(x2 , y2 ) as a subfield of K(x1 , y1 ) (see the proof of Proposition 12.12). The norm map for this extension maps elements of K(x1 , y1 )× to elements of K(x2 , y2 )× , and yields a map from principal divisors on E1 to principal divisors on E2 . The main part of the proof of the lemma is showing that this norm map is the same as the map α∗ on principal divisors. For this, see [43, Prop. 1.4]. Therefore, α∗ gives a well-defined map α∗ : Div0 (E1 )/(principal divisors) −→ Div0 (E2 )/(principal divisors). If P ∈ E1 (K), then α∗ (ψ1 (P )) = α∗ ([P ] − [∞]) = [α(P )] − [∞] = ψ2 (α(P )). Therefore,

α = ψ2−1 ◦ α∗ ◦ ψ1 .

Since all three maps on the right are homomorphisms, so is α. The following tells us that an elliptic curve isogenous to an elliptic curve E is essentially uniquely determined by the kernel of the isogeny to it. This may seem obvious from the viewpoint of group theory since the group of points on the isogenous curve is isomorphic to E(K)/C, where C is the kernel of the isogeny. But we are asking for more: we want the uniqueness of the curve as an algebraic variety. We say that two elliptic curves E2 , E3 are isomorphic if there are group homomorphisms β : E2 (K) → E3 (K) and γ : E3 (K) → E2 (K) such that β and γ are given by rational functions and such that γ ◦ β = id on E2 and β ◦ γ = id on E3 . PROPOSITION 12.12 Let E1 , E2 , E3 be elliptic curves over a field K and suppose that there exist separable isogenies α2 : E1 → E2 and α3 : E1 → E3 defined over K. If Ker α2 = Ker α3 , then E2 is isomorphic to E3 over K. In fact, there is an isomorphism β : E2 → E3 such that β ◦ α2 = α3 . PROOF This proof will use some concepts from field theory and Galois theory. It may be skipped by readers unfamiliar with these subjects.

390

CHAPTER 12 ISOGENIES

Assume for simplicity that the elliptic curves are in Weierstrass form: Ei : yi2 = x3i +Ai xi +Bi . The isogeny α2 can be described by (x2 , y2 ) = α2 (x1 , y1 ) = (r1 (x1 ), y1 r2 (x1 )), where r1 and r2 are rational functions with coefficients in the field K. This allows us to regard K(x2 , y2 ) as a subfield of K(x1 , y1 ). Write r1 (x1 ) = p(x1 )/q(x1 ), where p and q are polynomials with no common factors. Then p(T ) − x2 q(T ) ∈ K(x2 )[T ] is irreducible of degree N = deg α2 (see Exercise 12.7). Therefore, the extension K(x1 )/K(x2 ) has degree N .

x3i + Ai xi + Bi ∈ K(xi ). Therefore, [K(xi , yi ) : By Lemma 11.5, yi = K(xi )] = 2. It follows that 2[K(x1 , y1 ) : K(x2 , y2 )] = [K(x1 , y1 ) : K(x2 , y2 )][K(x2 , y2 ) : K(x2 )] = [K(x1 , y1 ) : K(x1 )][K(x1 ) : K(x2 )] = 2N, so [K(x1 , y1 ) : K(x2 , y2 )] = N . Let Q be in the kernel of α2 . Translation by Q gives a map σQ : (x1 , y1 ) → (x1 , y1 ) + Q = (f (x1 , y1 ), g(x1 , y1 )) . This is an automorphism of K(x1 , y1 ) (see Exercise 12.9). Since σQ (x2 , y2 ) = σQ (α2 (x1 , y1 )) = α2 ((x1 , y1 ) + Q) = α2 (x1 , y1 ) = (x2 , y2 ), this automorphism acts as the identity on the field K(x2 , y2 ). A result from field theory says that if G is a finite group of automorphisms of a field L, then the subfield of elements fixed by G is of degree #G below L (see, for example, [71]). If α2 is separable, there are N (= deg α2 ) automorphisms given by translation by elements of the kernel of α2 , so the fixed field of this group is of degree N below K(x1 , y1 ). Since K(x2 , y2 ) is contained in this fixed field, and [K(x1 , y1 ) : K(x2 , y2 )] = N , the fixed field is exactly K(x2 , y2 ). The same analysis applies to α3 . If α2 and α3 are separable with the same kernel, then K(x2 , y2 ) and K(x3 , y3 ) are the fixed field of the same group of automorphisms, hence K(x2 , y2 ) = K(x3 , y3 ). Therefore, x2 , y2 are rational functions of x3 , y3 , and x3 , y3 are rational functions of x2 , y2 . Write x2 = R1 (x3 , y3 ),

y2 = R2 (x3 , y3 )

for rational functions R1 , R2 . Then γ : (x3 , y3 ) → (x2 , y2 ) = (R1 (x3 , y3 ), R2 (x3 , y3 )) gives a map E3 → E2 . Similarly, there exists β : E2 → E3 , and γ◦β = id on E2 and β ◦ γ = id on E3 . By translating the images of β and γ (that is, change β to β − β(∞), and similarly for γ), we may assume that β(∞) = ∞ and

SECTION 12.2 THE ALGEBRAIC THEORY

391

γ(∞) = ∞. By Theorem 12.10, these maps are homomorphisms. Therefore, β is an isomorphism, so E2 and E3 are isomorphic, as claimed. Moreover, β ◦ α2 (x1 , y1 ) = β(x2 , y2 ) = (x3 , y3 ) = α3 (x1 , y1 ), so β ◦ α2 = α3 . REMARK 12.13 If α2 and α3 are defined over K, then it is possible to show that E2 and E3 are isomorphic over K. See [109, Exercise 3.13]. A very important property of isogenies is the existence of dual isogenies. We already proved this in the case of elliptic curves over C. In the following, we treat elliptic curves over arbitrary fields. THEOREM 12.14 Let α : E1 → E2 be an isogeny of elliptic curves. Then there exists a dual  ◦ α is multiplication by deg α on E1 . isogeny α  : E2 → E1 such that α PROOF We give the proof only in the case that deg α is not divisible by the characteristic of the field K. The proof in the general case involves working with inseparable extensions of fields. See [109]. Let N = deg α. Then Ker(α) ⊂ E1 [N ], and α(E1 [N ]) is a subgroup of E1 of order N . We show in Theorem 12.16 that there exists an isogeny α2 : E2 → E3 , for some E3 , such that Ker(α3 ) = α(E1 [N ]). Then α2 ◦ α has kernel equal to E1 [N ]. The map E1 → E1 given by multiplication by N has the same kernel. By Proposition 12.12, there is an isomorphism β : E3 → E1 such that β ◦ α2 ◦ α is multiplication by N . Let α  = β ◦ α2 . The map α  is unique, its degree is deg α, and α ◦ α  equals multiplication by deg(α) on E2 . See Exercise 12.10. If α and β are isogenies from E1 to E2 , then α+β is defined by (α+β)(P ) = 
α(P )+β(P ). If α = −β, this is an isogeny. It can be shown that α +β =α  +β. See [109]. REMARK 12.15 There is an inseparable isogeny for which the dual isogeny can be constructed easily. If E is an elliptic curve over the finite field Fq , then the qth power Frobenius endomorphism can be regarded as an isogeny of degree q from E to itself. We know that φ2 − aφ + q = 0 for some integer a. Therefore, (a − φ) ◦ φ = q = deg φ, so φ = a − φ is the dual isogeny for φ.

392

CHAPTER 12 ISOGENIES

12.3 V´ elu’s Formulas We now consider the algebraic version of Proposition 12.4. Since it is often convenient to translate a point in the kernel of an isogeny to the origin, for example, we work with the general Weierstrass form. The explicit formulas given in the theorem are due to V´elu [123]. THEOREM 12.16 Let E be an elliptic curve given by the generalized Weierstrass equation y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 , with all ai in some field K. Let C be a finite subgroup of E(K). Then there exists an elliptic curve E2 and a separable isogeny α from E to E2 such that C = Ker α. For a point Q = (xQ , yQ ) ∈ C with Q = ∞, define x gQ = 3x2Q + 2a2 xQ + a4 − a1 yQ y gQ = −2yQ − a1 xQ − a3 x (if 2Q = ∞) gQ vQ = y x  ∞) 2gQ − a1 gQ (if 2Q = y 2 uQ = (gQ ) .

Let C2 be the points of order 2 in C. Choose R ⊂ C such that we have a disjoint union C = {∞} ∪ C2 ∪ R ∪ (−R) (in other words, for each pair of non-2-torsion points P, −P ∈ C, put exactly one of them in R). Let S = R ∪ C2 . Set v=



vQ ,

Q∈S

w=



(uQ + xQ vQ ).

Q∈S

Then E2 has the equation Y 2 + A1 XY + A3 Y = X 3 + A2 X 2 + A4 X + A6 , where A1 = a1 , A4 = a4 − 5v,

A2 = a2 , A6 = a6 −

A3 = a3 (a21

+ 4a2 )v − 7w.

´ SECTION 12.3 VELU’S FORMULAS

393

The isogeny is given by X =x+ Y =y−

Q∈S

 Q∈S



vQ uQ + x − xQ (x − xQ )2



x y a1 uQ − gQ qQ 2y + a1 x + a3 a1 (x − xQ ) + y − yQ + v + uQ Q 3 2 2 (x − xQ ) (x − xQ ) (x − xQ )



PROOF As in Section 8.1, let t = x/y and s = 1/y. Then t has a simple zero and s has a third order zero at ∞ (see Example 11.3). Dividing the relation y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 by y 3 and rearranging yields s = t3 − a1 st + a2 st2 − a3 s2 + a4 s2 t + a6 s3 .

(12.1)

If we substitute this value for s into the right hand side of (12.1), we obtain s = t3 − a1 (t3 − a1 st + a2 st2 − a3 s2 + a4 s2 t + a6 s3 )t + a2 (t3 − a1 st + a2 st2 − a3 s2 + a4 s2 t + a6 s3 )t2 + · · · . Continuing this process, we eventually obtain

 1 = s = t3 1 − a1 t + (a21 + a2 )t2 − (a31 + 2a1 a2 + a3 )t3 + · · · y and

y = t−3 + α1 t−2 + α2 t−1 + α3 + α4 t + α5 t2 + α6 t3 + O(t4 ),

where α1 = a1 ,

α2 = −a2 ,

α3 = a3 ,

α5 = a2 a3 + α6 =

−(a21 a4

+

a31 a3

a21 a3

α4 = −(a1 a3 + a4 ),

+ a1 a4 ,

+ a2 a4 + 2a1 a2 a3 + a23 + a6 ),

and where O(t4 ) denotes a function that vanishes to order at least 4 at ∞. Since x = ty, we also obtain x = t−2 + α1 t−1 + α2 + α3 t + α4 t2 + α5 t3 + α6 t4 + O(t5 ). Substituting these expressions for x, y into the formulas given for X, Y yields expressions for X, Y in terms of t. A calculation shows that Y 2 + A1 XY + A3 Y = X 3 + A2 X 2 + A4 X + A6 + O(t), where the Ai are as given in the statement of the theorem. Since X and Y are rational functions of x, y, they are functions on E. The only poles of X and Y are at the points in C, as can be seen from the explicit formulas for

.

394

CHAPTER 12 ISOGENIES

X, Y . Therefore the function Y 2 + A1 XY + A3 Y − X 3 − A2 X 2 − A4 X − A6 can have poles only at the points of C. It vanishes at ∞, since it is O(t). We want to show that it also vanishes at the nontrivial points of C. A calculation (see Exercise 12.6) shows that X(P ) = x(P ) + [x(P + Q) − x(Q)] (12.2) ∞=Q∈C

Y (P ) = y(P ) +



[y(P + Q) − y(Q)] .

(12.3)

∞=Q∈C

In particular, X and Y are invariant under translation by elements of C. Therefore, Y 2 + A1 XY + A3 Y − X 3 − A2 X 2 − A4 X − A6 is invariant under translation by elements of C. Since it vanishes at ∞, it vanishes at all points of C. Hence it has no poles. This means that it is constant (see Proposition 11.1). Since it vanishes at ∞, it is 0. This proves that X and Y satisfy the desired generalized Weierstrass equation. The following shows that this equation gives a nonsingular curve. LEMMA 12.17 E2 is nonsingular. PROOF For simplicity, assume that the characteristic of K is not 2. By completing the square, we may reduce to the case where A1 = A3 = 0, so the equation of E2 is Y 2 = X 3 + A2 X 2 + A4 X + A6 = (X − e1 )(X − e2 )(X − e3 ). We need to show that e1 , e2 , e3 are distinct. Suppose that e1 = e2 . Then  2 Y X − e3 = . X − e1 Let F = Y /(X − e1 ), which is a function on E. The function X − e3 on E has double poles at the points of C and no other poles. Therefore, its square root, namely F , has simple poles at the points of C and no other poles. Note that F is invariant under translation by elements of C, since both X and Y are. Let a ∈ K. Since F − a has N poles, where N = #C, it has N zeros. If P is one of these zeros, then P + Q is also a zero for each Q ∈ C. This gives all of the N zeros, so we conclude that F = a occurs for exactly N distinct points of E. We now need a special case of what is known as the Riemann-Hurwitz formula. Consider an algebraic curve C defined by a polynomial equation G(x, y) = 0 over an algebraically closed field K. Let F (x, y) be a rational function on C. Let n be the number of poles of F , counted with multiplicity. If a ∈ K, then F −a has n poles, hence n zeros. It can be shown that if F is not

´ SECTION 12.3 VELU’S FORMULAS

395

a pth power, where p is the characteristic of K, then for all but finitely many a, these n zeros are distinct (if F is a pth power, then F − a = (F 1/p − a1/p )p , so the roots cannot be distinct; that is why this case is excluded). We say that n is the degree of F . If F − a has n distinct zeros for each a and F has n distinct poles, then we say that F is unramified. PROPOSITION 12.18 (Riemann-Hurwitz) Let C1 , C2 be curves of genus g1 , g2 defined over an algebraically closed field K, and let F : C1 → C2 be an unramified rational map of degree n. Then 2g1 − 2 = n(2g2 − 2). PROOF See [49]. More generally, the Riemann-Hurwitz formula can be extended to cover the case where F is ramified. In our case, F is a function from the elliptic curve E, which has genus 1, to the projective line P1 , which has genus 0. By the above discussion, F is unramified of degree n. Therefore, 0 = −2n, which is a contradiction. We conclude that e1 , e2 , e3 must be distinct and therefore that E2 is nonsingular. This completes the proof of Lemma 12.17. We have shown that α : (x, y) → (X, Y ) gives a map from E to E2 . Equations (12.2), (12.3) show that the points in the subgroup C are exactly the points mapping to ∞. In particular, since ∞ maps to ∞, Theorem 12.10 shows that α is an isogeny. Its kernel is C. By Exercise 12.8, α is separable. This completes the proof of Theorem 12.16. Example 12.4 Let E be given by y 2 = x3 + ax2 + bx, with b = 0 and a2 − 4b = 0 (these conditions make the curve nonsingular). The point (0, 0) is a point of order 2, so this point, along with ∞, gives a subgroup of order 2. The set S is {(0, 0)}. y x = a4 = b and gQ = 0, so uQ = 0. Therefore, For Q = (0, 0), we have vQ = gQ X =x+

b , x

Y =y−

by . x2

The curve E2 is given by the equation Y 2 = X 3 + aX 2 − 4bX − 4ab. Let X3 = X + a = x +

y2 ax + b = 2, x x

Y3 = Y = y −

by x2 − b . = y x2 y

396

CHAPTER 12 ISOGENIES

Then we obtain the elliptic curve E3 given by Y32 = X33 − 2aX32 + (a2 − 4b)X3 . The map α : E → E3 is the same as the isogeny of Example 12.3. The elliptic curve E3 has (0, 0) as a point of order 2. Repeating the procedure for E3 yields an isogeny to the elliptic curve E4 : Y42 = X43 + 4aX42 + 16bX4 with X4 = X3 +

−2aX3 + a2 − 4b , X32

Y4 = Y3 −

(a2 − 4b)Y3 . X32

Let X5 = X4 /4, Y5 = Y4 /8. Then Y52 = X53 + aX52 + bX5 , which is the equation of our original elliptic curve E. A calculation shows that in the map E → E,  x → X5 =

3x2 + 2ax + b 2y

2 − a − 2x,

which is exactly the formula for the x-coordinate of 2(x, y). A similar calculation for the y-coordinate tells us that the map E → E is multiplication by 2.  : E3 → E In summary, we have an isogeny α : E → E3 and an isogeny α such that α  ◦ α is multiplication by 2. The map α  is an example of a dual isogeny.

12.4 Point Counting In Section 4.5, we discussed the method of Schoof for counting the number of points on an elliptic curve over a finite field. In the present section, we briefly sketch some work of Elkies and Atkin that uses isogenies to improve the efficiency of Schoof’s algorithm. Let E be an elliptic curve defined over Fp . The p-power Frobenius endomorphism satisfies φ2 −aφ+p = 0 for some integer a, and #E(Fp ) = p+1−a. Therefore, to count the number of points in E(Fp ), it suffices to find a. Let = p be prime. Since the case = 2 can be treated as in Section 4.5, assume is odd. The goal is to compute a (mod ). As in Schoof’s algorithm,

SECTION 12.4 POINT COUNTING

397

if this is done for sufficiently many , then we obtain a. As described in Section 4.5, the Frobenius acts on the -torsion E[ ] as a matrix   s t . (φ)
= uv By Proposition 4.11, a ≡ Trace((φ)
) and p ≡ det((φ)
) (mod ). Suppose there is a basis of E[ ] such that   λb (φ)
= 0µ for some integers λ and µ. This means that there is a subgroup C of E[ ] such that φ(P ) = λP for all P ∈ C. Moreover, T 2 − aT + p ≡ (T − λ)(T − µ)

(mod ).

Conversely, if T 2 − aT + p has a root λ mod , then there is a subgroup C such that φ(P ) = λP for all P ∈ C (this is the result from linear algebra that the eigenvalues are the roots of the characteristic polynomial of a matrix). Let C be a subgroup such that φq (P ) = λP for all P ∈ C, so the qth-power Frobenius permutes the elements of C. Consider the isogeny with kernel C constructed in Theorem 12.16. The formula for the isogenous curve E2 is symmetric in the coordinates of the points of C. Since φq permutes these coordinates, it leaves invariant the coefficients of equation of E2 . Consequently, the j-invariant j2 of E2 is fixed by φq and therefore lies in Fq . Similarly, the monic polynomial whose roots are the x-coordinates of the points in C has coefficients that lie in Fq . There are ( − 1)/2 such coordinates, so we obtain a polynomial F
(x) of degree ( − 1)/2. Recall that the th division polynomial ψ
(x), whose roots are the x-coordinates of all the points in E[ ], has degree ( 2 − 1)/2. Therefore, F
(x) is a factor of ψ
(x) of degree much smaller than ψ
(x). In Schoof’s algorithm, the most time-consuming parts are the computations mod ψ
(x). The ideas in Section 4.5 allow us to work mod F
(x) instead, and find a λ such that φ(P ) = λP for some P = ∞ in C. Since the degree of F
(x) is much smaller than the degree of ψ
(x), the computations proceed much faster. Since λµ ≡ p (mod ), we have a ≡ Trace((φ)
) ≡ λ +

p λ

(mod ),

so we obtain a mod . Finding F
(x) efficiently is rather complicated. See [12] or [99] for details. Determining whether λ and µ exist is more straightforward and uses the modular polynomial Φ
(X, Y ) (see Theorem 10.15). Recall that Φ
(X, Y ) has integer coefficients. If j1 , j2 ∈ C, then Φ
(j1 , j2 ) = 0 if and only there is an isogeny of degree from an elliptic curve with j-invariant j1 to one with

398

CHAPTER 12 ISOGENIES

invariant j2 . It is easy to see from the construction of Φ
(x) that its degree is

+ 1, corresponding to the + 1 subgroups in E[ ] of order + 1. Since Φ
has integer coefficients, we can regard it as a polynomial mod p. The following analogue of Theorem 12.5 holds. THEOREM 12.19 Let = p be prime, let j1 , j2 ∈ Fp , and let E1 , E2 be elliptic curves with invariants j1 , j2 . Then Φ
(j1 , j2 ) = 0 if and only if there is an isogeny from E1 to E2 of degree . PROPOSITION 12.20 Let E be an elliptic curve defined over Fp . Assume that E is not supersingular and that its j-invariant j is not 0 or 1728. Let = p be prime. 1. Let j1 ∈ Fp be a root of the polynomial Φ
(j, T ), let E1 be an elliptic curve of invariant j1 , and let C be the kernel of the corresponding isogeny E → E1 of degree . Let r ≥ 1. There exists ν ∈ Z such that φr P = νP for all P ∈ C if and only if j1 ∈ Fpr . 2. The polynomial Φ
(j, T ) factors into linear factors over Fpr if and only if there exists ν ∈ Z such that φr P = νP for all P ∈ E[ ]. PROOF If φr P = νP for all P ∈ C, then, as discussed previously, the j-invariant j1 of the isogenous curve is in Fpr . Similarly, if φr P = νP for all P ∈ E[ ], then all -isogenous curves have j-invariants in Fpr , so all roots of Φ
(j, T ) are in Fpr . For proofs of the converse statements, see [99]. REMARK 12.21 12.11.

The restriction to j = 0, 1728 is necessary. See Exercise

By computing gcd (T p − T, Φ
(j, T )) as a polynomial in F
, we obtain a polynomial whose roots are the roots of Φ
(j, T ) in F
. Finding a root j1 of this polynomial allows us to construct a curve with j-invariant j1 (using the formula on page 47) that is -isogenous to E. As mentioned previously, a rather complicated procedure, described in [12] and [99], yields the desired factor F
(x) of the division polynomial ψ
(x). Example 12.5 Consider the elliptic curve E : y 2 = x3 √ + x + 7 over√F23 . The group E[3] is generated by P1 = (1, 3) and P2 = (14, 5), where 5 ∈ F232 . Let φ be the 23rd power Frobenius endomorphism. Then φ(P1 ) = P1 and φ(P2 ) = −P2 .

SECTION 12.4 POINT COUNTING

399

Therefore, the subgroups C1 = {∞, P1 , −P1 } and C2 = {∞, P2 , −P2 } are such that φ(P ) = λi P for all P ∈ Ci , where λ1 = 1 and λ2 = −1. The polynomials F
(x) are x − 1 for C1 and x − 14 for C2 . They are factors of the third division polynomial ψ3 (x) ≡ 3x3 + 3x2 + 9x + 1 ≡ (x − 1)(3x + 4)(x2 + 15x + 6)

(mod 23).

Either of λ1 , λ2 can be used to obtain a mod 3: a ≡ λi +

23 ≡0 λi

(mod 3).

Therefore, #E(F23 ) = 23 + 1 − a ≡ 0 (mod 3). Since x3 + x + 7 has x = −3 as a root mod 23, E(F23 ) contains a point of order 2. Therefore, #E(F23 ) ≡ 0 (mod 6). The Hasse bounds tell us that 15 ≤ #E(F23 ) ≤ 33, hence #E(F23 ) = 18, 24, or 30. In fact, counting points explicitly shows that the group has order 18. Let Ei be the image of the isogeny with kernel Ci . The j-invariant of E is 18. The modular polynomial Φ3 (18, T ) factors as Φ3 (18, T ) ≡ (T + 1)(T + 3)(T 2 + 2T + 10)

(mod 23)

(the polynomial Φ3 is given on page 329). Therefore, there are two 3-isogenous curves whose j-invariants are in F23 . They have j = −1 and j = −3. One of these is E1 and the other is E2 . Which is which? (Exercise 12.14). The following result, due to Atkin, shows that the possible factorizations of Φ
(j, T ) mod are rather limited. THEOREM 12.22 Let E be an elliptic curve defined over Fp . Assume that E is not supersingular and that its j-invariant j is not 0 or 1728. Let = p be prime. Let Φ
(j, T ) ≡ f1 (T ) · · · fs (T )

(mod )

be the factorization of Φ
(j, T ) into irreducible polynomials mod . The degrees of the factors are one of the following: 1. 1 and (and s = 2) 2. 1, 1, r, r, . . . , r (and s = 2 + ( − 1)/r) 3. r, r, . . . , r (and s = ( + 1)/r). In (1), a2 − 4p ≡ 0 (mod ). In (2), a2 − 4p is a square mod . In (3), a2 − 4p is not a square mod . In cases (2) and (3), a2 ≡ (ζ + 2 + ζ −1 )p

(mod )

for some primitive rth root of unity ζ ∈ F
.

400

CHAPTER 12 ISOGENIES

PROOF The matrix (φ)
has characteristic polynomial F (T ) = T 2 −aT +p. If F (T ) factors into distinct linear factors (T − λ)(T − µ) mod , then we can find a basis of E[ ] that diagonalizes (φ)
. An eigenvector for λ is a point P that generates a subgroup C1 such that φ(P ) = λP for all P ∈ C1 . The eigenvalue µ yields a similar subgroup C2 . Since λ and µ are the only two eigenvalues, C1 and C2 are the only two subgroups on which φ acts by multiplication by an integer. By Proposition 12.20, there are exactly two corresponding j-invariants in Fp that are roots of Φ
(j, T ). Let j3 = j1 , j2 be another root of Φ
(j, T ), and let r be the smallest integer such that j3 ∈ Fpr . By part (1) of Proposition 12.20, there is a subgroup C3 of E[ ] and an integer ν such that φr (P ) = νP for all P ∈ C3 . Moreover, C3 is the kernel of the isogeny to a curve of invariant j3 = j1 , j2 , hence C3 = C1 , C2 . This means that C1 , C2 , C3 are distinct eigenspaces of the 2 × 2 matrix (φ)r
, so (φ)r
must be scalar. Consequently, all subgroups C of order are eigenspaces of (φ)r
. Part (1) of Proposition 12.20 implies that all roots of Φ
(j, T ) lie in Fpr . We have therefore proved that all roots lie in the same field as j3 . Since j3 was arbitrary, r is equal for all roots j3 = j1 , j2 . Since the minimal r such that j3 ∈ Fpr is the degree of the irreducible factor that has j3 as a root, all irreducible factors of Φ
(j, T ), other than T − j1 and T − j2 , have degree r. This is Case (2). Since T 2 − aT + p factors in F
, its discriminant a2 − 4p is a square (this follows from the quadratic formula). If F (T ) = (T − λ)2 for some µ, then either (φ)
is the scalar matrix λI, or there is a basis for E[ ] such that   λ1 (φ)
= . 0λ (This is the nondiagonal case of Jordan canonical form.) In the first case, part (2) of Proposition 12.20 implies that Φ
(j, T ) factors into linear factors in Fp , and a2 − 4p ≡ 0 (mod ), which is a square. This is the case r = 1 in Case (2). In the other case, an easy induction shows that  k  k  λ kλk−1 λ1 = . 0λ 0 λk This is nondiagonal when k < and diagonal when k = . Therefore, the smallest r such that (φ)r
has two independent eigenvectors is r = , and (φ)

is scalar. The reasoning used in Case (2) shows that Φ
(j, T ) has an irreducible factor of degree . This yields Case (1). Since F (T ) has a repeated root, a2 − 4p ≡ 0 (mod ). Finally, suppose F (T ) is irreducible over F
. Then a2 − 4p is not a square mod . There are no nontrivial eigenspaces over F
, so there are no linear factors of Φ
(j, T ) over F
. Let λ and µ be the two roots of F (T ). They lie in F
2 and are quadratic conjugates of each other. The eigenvalues of (φ)k
are λk and µk . Let k be the smallest exponent so that λk ∈ F
. This is the smallest k such that (φ)k
has an eigenvalue in Fp , and therefore Fpk is the

SECTION 12.5 COMPLEMENTS

401

smallest field containing a root of Φ
(j, T ), by Proposition 12.20. Since λk and µk are quadratic conjugates and lie in F
, they are equal. Therefore, (φ)k
is scalar, so all roots of Φ
(j, T ) lie in Fpk , but none lies in any smaller field. It follows that all the irreducible factors of Φ
(j, T ) have degree r = k. This is Case (3). In all three cases, the eigenvalues (or diagonal elements in Case (1)) of (φ)
are λ and µ = p/λ. We have a = Trace((φ)
) = λ + µ. Moreover, λr = µr = pr /λr since (φ)r
is scalar. Therefore, λ2r = pr , hence λ2 = pζ for an rth root of unity ζ. This implies that


p 2 p2 = λ2 + 2p + 2 = p ζ + 2 + ζ −1 . a2 = λ + λ λ Suppose we are in Case (2) or (3). If ζ k = 1 for some k < r, then λ2k = pk = λk µk , so λk = µk . This means that (φ)k
is scalar, which contradicts the fact that r is the smallest k with this property. Therefore, ζ is a primitive rth root of unity. (Note that in Case (1), we have ζ = 1 and there are no primitive th roots of unity in F
.) This completes the proof of the theorem. In Example 12.5, the factorization of Φ3 had factors of degrees 1, 1, 2, which is case (2) of the theorem with r = 2. The primes corresponding to Cases (1) and (2) are called Elkies primes. Those for Case (3) are called Atkin primes. Atkin primes put restrictions on the value of a mod , but they allow many more possibilities than the Elkies primes, which, after some more work, allow a determination of a mod

. However, Atkin showed how to combine information obtained from the Atkin primes with the information obtained from Elkies primes to produce an efficient algorithm for computing a mod (see [12, Section VII.9]).

12.5 Complements Isogenies occur throughout the theory of elliptic curves. In Section 8.6, Fermat’s infinite descent involved two elliptic curves that are 2-isogenous. In fact, the descent procedure of Section 8.2 can sometimes be refined using an isogeny and its dual isogeny. This is what is happening in Section 8.6. See [109] for the general situation. Let E1 , E2 be elliptic curves over Fq . If they are isogenous over Fq , then #E1 (Fq ) = #E2 (Fq ) (Exercise 12.12). The amazing fact that the converse is true was proved by Tate. In other words, if #E1 (Fq ) = #E2 (Fq ) then E1 , E2 are isogenous over Fq . The condition #E1 (Fq ) = #E2 (Fq ) can be interpreted as saying that E1 and E2 have the same zeta function (see Section 14.1), so we see that the zeta function uniquely determines the isogeny class over Fq of an elliptic curve.

402

CHAPTER 12 ISOGENIES

A similar situation holds over Q, as was proved by Faltings in 1983. Namely, if E1 , E2 are elliptic curves over Q, then the L-series of E1 (see Section 14.2) equals the L-series of E2 if and only if E1 and E2 are isogenous over Q. This theorem arose in his proof of Mordell’s conjecture that an algebraic curve of genus at least 2 has only finitely many rational points.

Exercises 12.1 Let L be the lattice Z + Zi. (a) Show that [1 + i] : C/L → C/L is an isogeny. List the elements of the kernel and conclude that the isogeny has degree 2. (b) Let 0 = a + bi ∈ Z + Zi. Show that [a + bi] : C/L → C/L is an isogeny of degree a2 + b2 . (Hint: The proof of Lemma 12.1 shows that the degree is the determinant of a + bi acting on the basis {1, i} of L.) 12.2 Let E = C/L be an elliptic curve defined over C. Let n be a positive integer. Let [α] : C/L → C/L1 be an isogeny and assume that E[n] ⊆ Ker α. By multiplying by α−1 , we may assume that the isogeny is given by the map z → z and that L ⊆ L1 , so L1 /L is the kernel of the isogeny. For convenience, we continue to denote the isogeny by [α]. (a) Show that E[n] =

1 n L/L. C/ n1 L be

the map given by z → z. Show that (b) Let α1 : C/L → there is an isomorphism β : C/ n1 L  C/L such that β ◦ α1 = [n] (= multiplication by n on E). (c) Observe that α factors as α2 ◦ α1 , where α1 is as in (b), and where α2 : C/ n1 L → C/L1 is given by z → z. Let α3 = α2 ◦ β −1 . Conclude that α factors as α3 ◦ [n]. (d) Let γ : E → E1 be an isogeny with Ker γ  Zn1 ⊕ Zn2 with n1 |n2 . Show that γ equals multiplication by n1 on E composed with a cyclic isogeny whose kernel has order n2 /n1 . 12.3 Let [α] : C/L1 → C/L2 be an isogeny, as in Section 12.1.
= deg([α]) (Hint: multiplication by N/α cor(a) Show that deg([α]) responds to the matrix N (aij )−1 , in the notation of the proof of Lemma 12.1).

= [α]. (b) Show that [α]

EXERCISES

403

12.4 Let E1 : y12 = x31 + ax21 + bx1 be an elliptic curve over some field of characteristic not 2 with b = 0 and a2 − 4b = 0. Let E2 be the elliptic curve y22 = x32 − 2ax22 + (a2 − 4b)x2 . Define α by  (x2 , y2 ) = α(x1 , y1 ) =

y12 y1 (x21 − b) , x21 x21

 .

Let si = 1/yi and ti = xi /yi . Then ti and si are 0 at ∞ (in fact, ti has a simple zero at ∞ and si has a triple zero at ∞, but we won’t use this). We want to show that α(∞) = ∞. To do this, whenever we encounter an expression 0/0 or ∞/∞, we rewrite it so as to obtain an expression in which every part is defined. (a) Show that s2 =

s1 , 1 − b(s1 /t1 )2

t2 =

1 s1 . 2 t1 1 − b(s1 /t1 )2

(b) Show that s1 /t1 = t21 + as1 t1 + bs21 , so s1 /t1 is 0 at ∞. (c) Write s1 = t1 + as1 + b t21



s1 t1

2 t1 .

Show that s1 /t21 has the value 0 at ∞. (d) Show that α maps ∞ on E1 to ∞ on E2 . 12.5 Let E1 , E2 , α, s2 , t2 be as in Exercise 12.4. (a) Show that s2 =

x1 y1 , (x21 + ax1 + b)(x21 − b)

t2 =

y1 . x21 − b

(b) Conclude that α(0, 0) = ∞. 12.6 Let E be an elliptic curve given by a generalized Weierstrass equation y 2 + a1 xy + a3 y = x3 + a2 x2 + a4 x + a6 . Let P = (xP , yP ) and Q = (xQ , yQ ) be points on E. Let xP +Q , yP +Q denote the x and y coordinates of the point P + Q. (a) Show that if 2Q = ∞, then uQ = 0 and xP +Q −xQ =

vQ , xP − xQ

yP +Q −yQ = −

a1 (xP − xQ ) + yP − yQ vQ . (xP − xQ )2

404

CHAPTER 12 ISOGENIES

(b) Show that if 2Q = ∞, then xP +Q − xQ + xP −Q − x−Q =

vQ uQ + , 2 (xP − xQ ) (xP − xQ )3

yP +Q − yQ + yP −Q − y−Q 2yP + a1 xP + a3 a1 (xP − xQ ) + yP − yQ − vQ 3 (xP − xQ ) (xP − xQ )2 x y a1 uQ − gQ gQ − . (xP − xQ )2

= −uQ

(c) Show that, in the notation of Theorem 12.16,  [x(P + Q) − x(Q)] X(P ) = x(P ) + ∞=Q∈C

Y (P ) = y(P ) +



[y(P + Q) − y(Q)] .

∞=Q∈C

12.7 Let p(T ), q(T ) be polynomials with coefficients in a field K with no common factor. Let X be another variable. Show that the polynomial F (T ) = p(T ) − Xq(T ), regarded as a polynomial with coefficients in K(X), is irreducible. (Hint: By Gauss’s Lemma (see, for example, [71]), if F (T ) factors, it factors with coefficients that are polynomials in X (that is, we do not need to consider polynomials with rational functions as coefficients).) 12.8 Recall that in V´elu’s formulas,  X =x+ Q∈S

vQ uQ + x − xQ (x − xQ )2

 .

y = 0 if and only if 2Q = ∞. Show that if 2Q = ∞, (a) Show that gQ x = 0 (Hint: the curve is nonsingular). Conclude that if then gQ 2Q = ∞ then vQ = 0, and that uQ = 0 if and only if 2Q = ∞.

(b) Write the rational function defining X as p(x)/q(x), where p, q are polynomials with no common factor. Show that q(x) contains the product of (x − xQ )2 for all points Q ∈ S with 2Q = ∞ and that it contains (x − xQ ) for each point Q ∈ S with 2Q = ∞. Conclude that deg q = #C − 1. (c) Show that X − x has the form r(x)/q(x) with deg r < deg q. (d) Use the fact that p(x) r(x) =x+ q(x) q(x) to prove that deg p = #C. This shows that the isogeny constructed in Theorem 12.16 is separable.

EXERCISES

405

12.9 Let E be an elliptic curve over a field K and let Q ∈ E(K). Translation by Q gives a map (x, y) → (x, y) + Q = (f (x, y), g(x, y)), and therefore a homomorphism of fields σ : K(x, y) → K(x, y),

x → f (x, y),

y → g(x, y).

Show that σ has an inverse and therefore that σ is an automorphism of K(x, y). 12.10 Let E1 , E2 be elliptic curves over a field K and let α : E1 → E2 be an isogeny such that deg(α) is not divisible by the characteristic of K. (a) Suppose E3 is an elliptic curve over K and that β1 : E2 → E3 and β2 : E2 → E3 are isogenies such that β1 ◦ α = β2 ◦ α. Show that β1 = β2 . (b) Show that the map α  is the unique isogeny E2 → E1 such that α  ◦ α is multiplication by deg α. (c) Let f : A → B and g : B → C be surjective homomorphisms of abelian groups. Show that #Ker(g ◦ f ) = #Ker(g)#Ker(f ). Deduce that deg α  = deg α. (d) Show that α ◦ α  equals multiplication by deg(α) on E2 . (Hint: [n] ◦ α = α ◦ [n] = α ◦ α  ◦ α; now use (a).)  (e) Show that α  = α. 12.11 Consider the elliptic curve E : y 2 = x3 − 1 over F7 . It has j-invariant 0. (a) Show that the 3rd division polynomial (see page 81) is ψ3 (x) = x(x3 − 4). (b) Show that the subgroups of order 3 on E are √ C1 = {∞, (0, ±i)}, C2 = {∞, (41/3 , ± 3)}, √ √ C3 = {∞, (2 · 41/3 , ± 3)}, C4 = {∞, (4 · 41/3 , ± 3)}, √ where i = −1 ∈ F49 . Note that 23 = 1 in F7 , so 2 is a cube root of unity. (c) Show that the 3rd modular polynomial satisfies Φ3 (0, T ) ≡ T (T − 3)3 (mod 7). (d) Let ζ : E → E by (x, y) → (2x, −y). Then ζ is an endomorphism of E. Show that C1 is the kernel of the endomorphism 1 + ζ. Therefore C1 is the kernel of the isogeny 1 + ζ : E → E. Since j(E) = 0, this corresponds to the root T = 0 of Φ3 (0, T ) mod 7. (e) Let φ = φ7 be the 7th power Frobenius map. Show that φ has the eigenvalue −1 on C1 .

406

CHAPTER 12 ISOGENIES

(f) Show that φ(41/3 ) = 41/3 . (Hint: what x satisfy φ(x) = x?) Conclude that none of C2 , C3 , C4 is an eigenspace for φ. (g) Let E1 be an elliptic curve with j = 3 that is 3-isogenous to E (it exists by Theorem 12.19). Show that there does not exist ν ∈ Z such that φP = νP for all P in the kernel of the isogeny. This shows that the restriction j = 0 is needed in Proposition 12.20. 12.12 Let E1 , E2 be elliptic curves defined over Fq and suppose there is an isogeny α : E1 → E2 of degree N defined over Fq . (a) Let be a prime such that
qN and let n ≥ 1. Show that α gives an isomorphism E1 [ n ]  E2 [ n ]. (b) Use Proposition 4.11 to show that #E1 (Fq ) = #E2 (Fq ). 12.13 Let f : C/L1 → C/L2 be a continuous map. This yields a continuous map f : C → C/L2 such that f(z) = f (z mod L1 ). Let f(0) = z0 . Let z1 ∈ C and choose a path γ(t), 0 ≤ t ≤ 1, from 0 to z1 . (a) Let 0 ≤ t1 ≤ 1. Show that there exists a complex-valued continuous function h(t) defined in a small interval containing t1 , say (t1 −

, t1 + )∩[0, 1] for some , such that h(t) mod L2 = f(γ(t)). (Hint: Represent C/L2 using a translated fundamental parallelogram that contains f (γ(t1 )) in its interior.) (b) As t1 runs through [0, 1], the small intervals in part (a) give a covering of the interval [0, 1]. Since [0, 1] is compact, there is a (1) (n) finite set of values t1 < · · · < t1 whose intervals I1 , . . . , In cover all of [0, 1]. Suppose that for some t0 with 0 ≤ t0 < 1, we have a complex-valued continuous function g(t) on [0, t0 ] such that g(t) mod L2 = f(γ(t)). Show that if [0, t0 ] ∩ Ij is nonempty, and if h(t) is the function on Ij constructed in part (a), then there is an ∈ L2 such that g(t) = h(t) − for all t ∈ [0, t0 ] ∩ Ij . (Hint: g(t) − h(t) is continuous and L2 is discrete.) (c) Show that there exists a continuous function g : [0, 1] → C such that g(t) mod L2 = f(γ(t)) for all t ∈ [0, 1]. (d) Define f˜(z1 ) = g(1), where z1 and g are as above. Show that this definition is independent of the choice of path γ. (Hint: Deform one path into another continuously. The value of g(1) can change only by a lattice point.) (e) Show that the construction of f˜ yields a continuous function f˜ : C → C such that f (z mod L1 ) = f˜(z) mod L2 for all z ∈ C. 12.14 Consider the elliptic curves E1 , E2 in Example 12.5. Use V´elu’s formulas (Section 12.3) to compute the equations of E1 and E2 . Decide which has j = −1 and which has j = −3.

Chapter 13 Hyperelliptic Curves Given an algebraic curve, we can form its Jacobian, namely the group of divisors of degree 0 modulo principal divisors. As we saw in Corollary 11.4, the Jacobian of an elliptic curve gives the same group as the elliptic curve. However, for other curves, we get something new. In this chapter, we discuss hyperelliptic curves, for which the theory can be carried out rather explicitly. In [62], Koblitz suggested using hyperelliptic curves to build cryptosystems. Of course, whenever we have a group, we can build cryptosystems whose security depends on the difficulty of solving the discrete logarithm problem in the group. But computations in the group, for example adding elements, need to be fast if the cryptosystem is to have practical value. In Section 13.3, we discuss Cantor’s algorithm, which allows us to compute in Jacobians of hyperelliptic curves. In Section 13.4, we show how a form of the index calculus can be used to attack the discrete logarithm for these Jacobians. It turns out that this attack is effective when the genus (an invariant attached to the curve; see Theorem 11.15) is large. Therefore, it appears that the best curves for cryptography have genus 2. For much more on hyperelliptic curves, see [27], for example.

13.1 Basic Definitions Let K be a field. Throughout Sections 13.1, 13.2, and 13.3, we assume that K is algebraically closed, so that all points we consider have coordinates in K. Let g ≥ 1 be an integer and let h(x) and f (x) be polynomials with coefficients in K such that deg f = 2g + 1 and deg h ≤ g. Also, assume that f is monic (that is, the coefficient of x2g+1 is 1). The curve C given by the equation C : y 2 + h(x)y = f (x)

(13.1)

is called a hyperelliptic curve of genus g if it is nonsingular for all x, y ∈ K. This means that no point (x, y) on the curve, with x, y ∈ K, satisfies 2y + h(x) = 0 = f
(x) − yh
(x). When g = 1, we obtain an elliptic curve in

407

408

CHAPTER 13 HYPERELLIPTIC CURVES

generalized Weierstrass form. It can be shown that the genus of C (in the sense of Theorem 11.15) is g. If the characteristic of K is not 2, we can complete the square on the left side and put the curve into the form C : y 2 = f (x),

(13.2)

with f monic of degree 2g + 1. The nonsingularity condition states that no point on the curve satisfies 2y = 0 = f
(x). Since y = 0 means that f (x) = 0, this is equivalent to saying that no x satisfies f (x) = 0 = f
(x). In other words, f (x) has no multiple roots, just as for the Weierstrass form of an elliptic curve. For simplicity, we work with the form (13.2) throughout this chapter. There is one point at infinity, given by (0 : 1 : 0) and denoted ∞. If g ≥ 2, this point is singular, but this has no effect on what we do in this chapter. Technical point: Various results that we need to apply to C require that the curve be nonsingular. Therefore, it is necessary to remove the singularity at infinity. This is done by taking what is called the normalization of C. Fortunately, the resulting nonsingular curve agrees with C at the affine (that is, non-infinite) points and has a unique point at infinity (see, for example, [106]), which we again denote ∞. In the following, we will be working with functions and divisors. It will be easy to see what happens at the affine points. The behavior at ∞, which might seem harder to understand, is forced. For example, the function
x − a, where a is a constant, has two zeros, namely
(a, f (a)) and (a, − f (a)). Since the function has no other zeros or poles in the affine plane, and the degree of its divisor is 0, it must have a double pole at ∞. Similarly, any polynomial in x, y gives a function that has no poles in the affine plane, so the poles are at ∞. In fact, it can be shown that the rational functions on C with no poles except possibly at ∞ are the polynomials in x, y. In summary, in most situations we can work with ∞ without worry. However, the point (more accurately, a neighborhood of the point) is more complicated than it might appear. REMARK 13.1 There are also hyperelliptic curves given by equations of the forms (13.1) and (13.2) with deg f = 2g + 2. However, these will not be used in this chapter. Therefore, throughout this chapter, hyperelliptic curve will mean a curve with deg f = 2g + 1. Let P = (x, y) be a point on C. Define w(P ) = (x, −y), which is also a point on C. The map w : P → w(P ) is called the hyperelliptic involution. It satisfies w(w(P )) = P for all points P on C. On elliptic curves, w is multiplication by −1.

SECTION 13.2 DIVISORS

409

13.2 Divisors We continue to assume that C is a hyperelliptic curve given by (13.2) over an algebraically closed field K of characteristic not equal to 2. In general, a line intersects C in 2g + 1 points. Therefore, when g ≥ 2, we cannot use the method from elliptic curves to make the points on C into a group, since the line through two points intersects the curve in 2g−1 additional points, rather than in a unique third point. Instead, we form the group of divisors of degree 0 modulo principal divisors (that is, modulo divisors of functions on C). In order to discuss divisors of functions, we need to make precise the order of vanishing of a function at a point. Let P = (a, b) be a point on C and let t be a function that has a simple zero at P . If H(x, y) is a function on C, write H = tr G, where G(P ) = 0, ∞. Then H has a zero of order r at P (if r < 0, then H has a pole of order |r|). If P = (a, b) with b = 0, it can be shown that t = x − a has a simple zero at P . If b = 0, then x − a has a double zero, but t = y works since the function y has a simple zero. The intuition is that the line x − a = 0 intersects the curve C nontangentially at (a, b) except when b = 0, where it is a vertical tangent to the curve. Since tangency corresponds to higher order vanishing (as in Section 2.4), we need to use y instead, since the horizontal line y = 0 intersects C at (a, 0) nontangentially. The functions we will work with are polynomials in x and y. Since y 2 = f (x), we can replace y 2 with f (x). By induction, any polynomial in x, y can be reduced to a function of the form A(x) + B(x)y, where A(x) and B(x) are polynomials in x. We need to consider two special forms of functions. PROPOSITION  13.2 (a) Let A(x) = j (x − aj )cj . Then div(A(x)) =



  cj [Pj ] + [w(Pj )] − 2[∞] ,

j





 

where Pj = aj , f (aj ) and w(Pj ) = aj , − f (aj ) . (b) Let V (x) be a polynomial. Let  d f (x) − V (x)2 = (x − aj ) j . j

Then the function y − V (x) has divisor      div y − V (x) = dj [(aj , bj )] − [∞] , j

410

CHAPTER 13 HYPERELLIPTIC CURVES

where bj = V (aj ). If bj = 0, then dj = 1. PROOF Let a ∈ K. Consider the function given by the polynomial
H(x, y) = x − a. If f (a)
= 0, this function has simple zeros at P = (a, f (a)) and at w(P ) = (a, − f (a)). The only possible pole of x − a is at ∞. Since the number of zeros equals the number of poles (Proposition 11.1), there is a double pole at ∞. Therefore, div(x − a) = [P ] + [w(P )] − 2[∞]. If f (a) = 0, then x − a = y2

x−a . f (x)

Since f (x) has no multiple roots, (x−a)/f (x) does not have a zero or a pole at (a, 0). Therefore, x − a has a double zero at (a, 0). Note that w(a, 0) = (a, 0), so we can alsowrite div(x − a) in the form [P ] + [w(P )] − 2[∞] in this case. If A(x) = j (x − aj )cj , then div(A(x)) = j cj ([Pj ] + [w(Pj )] − 2[∞]), 
 where Pj = aj , f (aj ) (for either choice of sign for the square root). We will use this for polynomials A(x), but it also applies when cj < 0 is allowed, hence when A(x) is a rational function. Consider now a function of the form y − V (x), where V (x) is a polynomial. Let P = (a, b) be a point on C with b = 0. Assume that y − V (x) has a zero at P , so V (a) = b. Since b = 0, we have V (a) + b = 0, so the function y + V (x) does not have a zero at P . Therefore, the order of vanishing of y − V (x) at P is the same as the order of vanishing of    y + V (x) y − V (x) = y 2 − V (x)2 = f (x) − V (x)2 . We conclude that, when b = 0 and b = V (a), the coefficient of (a, b) in div(y − V ) equals the multiplicity of x − a in the factorization of f − V 2 . Now suppose (a, 0) is a point on C at which y − V (x) has a zero. This means that f (a) = 0 and V (a) = 0. Since the function x − a has a double zero at (a, 0), the function V (x) has at least a double zero at (a, 0). But y has a simple zero at (a, 0), so the function y − V (x) has only a simple zero at (a, 0). Suppose (x − a)2 is a factor of the polynomial f (x) − V (x)2 . Since (x − a)2 is a factor of V (x)2 , it is also a factor of f (x), which is not possible since f (x) has no multiple roots. Therefore, the polynomial f (x) − V (x)2 has x − a as a simple factor. In other words, if V (a) = 0 and (a, 0) is on C, the divisor of y − V (x) contains [(a, 0)] with coefficient 1, and the polynomial f (x) − V (x)2 has x − a as a simple factor. So far, we have proved that every zero of y − V gives a root of f − V 2 . We need to show that f − V 2 has no other roots. Write  div(y − V ) = dj ([(aj , bj )] − [∞]) . j

SECTION 13.2 DIVISORS

411

Then div(y + V ) =



dj ([(aj , −bj )] − [∞]) =

j



dj ([w(aj , bj )] − [∞]) .

j

Since div(f −V 2 ) = div(y +V )+div(y −V ) =



dj ([(aj , bj )] + [(aj , −bj )] − 2[∞]) ,

j

we must have f − V 2 =



j (x

− aj )dj , by part (a). Therefore, every root of

f − V 2 yields a term in div(y − V ). This completes the proof. Part (a) of the proposition has a converse. If D = w(D) = cj [w(Pj )].



cj [Pj ] is a divisor, let

PROPOSITION 13.3 Let D be a divisor of degree 0. Then D + w(D) is a principal divisor; in fact, it is the divisor of a rational function in x. where possibly some Pj is ∞. Since deg D = PROOF Write D = j cj [Pj ], c = 0, so D = 0, we have j j j cj ([Pj ] − [∞]). If some Pj = ∞, that term can now be omitted, so we may assume Pj = ∞ for all j. Therefore, D+w(D) = j cj ([Pj ] + [w(Pj )] − 2[∞]), which is the divisor of a polynomial in x, by Proposition 13.2. A divisor of the form D = j cj ([Pj ] − [∞]), with Pj = (aj , bj ), is called semi-reduced if the following hold: 1. cj ≥ 0 for all j 2. if bj = 0, then cj = 0 or 1 3. if [Pj ] with bj = 0 occurs in the sum (that is, cj > 0), then [w(Pj )] does not occur. If, in addition, j cj ≤ g, then D is called reduced. Proposition 13.2 implies that div (y − V (x)) is semi-reduced for every polynomial V (x). Let D1 = j cj ([Pj ] − [∞]) and D2 = j dj ([Pj ] − [∞]) be two divisors with cj ≥ 0 and dj ≥ 0. Define gcd(D1 , D2 ) =

 j

min{cj , dj } ([Pj ] − [∞]) .

412

CHAPTER 13 HYPERELLIPTIC CURVES

PROPOSITION 13.4 c ([P Let D = j ] − [∞]) be a semi-reduced divisor. Let Pj = (aj , bj ) and  j j U (x) = j (x − aj )cj . Let V (x) be a polynomial such that bj = V (aj ) for all j. Then   D = gcd div(U (x)), div(y − V (x) ⇐⇒ f (x) − V (x)2 is a multiple of U (x) (that is f (x) − V (x)2 is a polynomial multiple of U (x)). PROOF In the notation of Proposition 13.2(b), dj ≥ cj for all j if and only if f (x) − V (x)2 is a multiple of U (x). The gcd is D if and only if dj ≥ cj for all j, which yields the result. It is worth mentioning what happens at the points (aj , bj ) in D where bj = 0. Since D is semi-reduced, cj = 1 for these points. Although div(x−aj ) contains 2[Pj ]−2[∞], the gcd contains [Pj ]−[∞] only once since div(y − V (x)) contains [Pj ] − [∞] only once. The following result is central to our treatment of divisors for hyperelliptic curves, since it allows us to represent divisors concretely as pairs of polynomials. THEOREM 13.5 There is a one-to-one correspondence between semi-reduced divisors D = j cj ([Pj ] − [∞]) and pairs of polynomials (U (x), V (x)) satisfying 1. U (x) is monic, 2. deg U (x) = j cj and deg V (x) < deg U (x), 3. V (x)2 − f (x) is a multiple of U (x).   Under this correspondence, D = gcd div(U (x)), div(y − V (x) . PROOF Given a pair (U, V ), we obtain a divisor D as the gcd, as in the statement of the theorem. Since div(y − V (x)) is semi-reduced, the gcd is semi-reduced. Proposition 13.4 tells us that deg U (x) = j cj , as desired. Conversely, suppose we have a semi-reduced divisor D. Let Pj = (aj , bj ) be a point occurring in D. We can construct U (x) as in Proposition 13.4, but we need to find V (x) such that V (aj ) = bj for all j and such that V 2 − f is a multiple of U .  For this, we use a square root algorithm. Write U (x) = j (x − aj )cj . Suppose that, for each j, we have Vj (x) such that Vj (aj ) = bj and Vj (x)2 ≡ f (x) (mod (x − aj )cj ). The Chinese remainder theorem for polynomials (Exercise 13.10) tells us that there is a polynomial V (x) such that V (x) ≡ Vj (x) (mod (x−aj )cj ) for all j. Then V (x)2 −f (x) ≡ 0 (mod (x−aj )cj ) for all j. This implies that V (x)2 −f (x) is a multiple of U (x). Also, V (x) ≡ Vj (x) (mod x − aj ) implies that V (aj ) = Vj (aj ) = bj .

SECTION 13.2 DIVISORS

413

The problem is now reduced to solving congruences of the form W (x)2 ≡ f (x) (mod (x−a)c ) with W (a) = b, where b2 = f (a). The solutions W will be the desired polynomials Vj . If b = 0, then f (a) = 0 and, by Proposition 13.2, we know that c = 1, so we can take W (x) = 0. This yields W (x)2 = 02 = f (a) ≡ f (x)

(mod (x − a))

since f (x) ≡ f (a) (mod (x − a)) for any polynomial f (x). Suppose now that b = 0. Let W1 (x) = b. Then W1 (x)2 = b2 = f (a), so W1 (x)2 − f (x) is 0 at x = a, hence is 0 mod x − a. Now suppose that 1 ≤ n < c and that we have found Wn (x) such that Wn (x)2 ≡ f (x) (mod (x − a)n ) and Wn (a) = b. Write Wn+1 (x) = Wn (x) + k(x − a)n for some constant k to be determined. Then Wn+1 (x)2 − f (x) ≡ Wn (x)2 − f (x) + 2k(x − a)n Wn (x)

(mod (x − a)n+1 ).

Since Wn (x)2 − f (x) is a multiple of (x − a)n , we can form the polynomial P (x) = Wn (x)2 − f (x) /(x − a)n . Let k = −P (a)/2. Then Wn+1 (x)2 − f (x) is a multiple of (x − a)n+1 . Continuing in this way, we obtain a function W (x) = Wc (x) that has the desired properties. (Remark: This method is actually the same as Newton’s method for finding numerical approximations to solutions of equations.) As mentioned previously, we combine the functions Vj (x) via the Chinese remainder theorem to obtain V (x). Now that we have a function V (x) with V (x)2 − f (x) divisible by U (x), we can reduce V mod U to get a new function V with deg V (x) < deg U (x). We have therefore found the desired pair (U, V ). Finally, we need to show that V (x) is uniquely determined by D. Suppose V1 (x) and V2 (x) are two such polynomials. The functions y − Vi (x) vanish to order at least cj at Pj , and therefore their difference V2 (x) − V1 (x) must also vanish to this order. Therefore, V2 (x) − V1 (x) has at least j cj = deg U (x) zeros, counting multiplicity. But deg(V2 (x) − V1 (x)) < deg U (x), so V1 (x) − V2 (x) must be identically 0. This completes the proof. The next result shows that the reduced divisors represent all divisor classes of degree 0. PROPOSITION 13.6 Let D be a divisor of degree 0 on C. There exists a unique reduced divisor D1 such that D − D1 is a principal divisor. PROOF divisor D,

Recall the Riemann-Roch theorem (Theorem 11.15): For any
(D) −
(K − D) = deg(D) − g + 1.

414

CHAPTER 13 HYPERELLIPTIC CURVES

Replace D with D + g[∞]. Then
(D + g[∞]) =
(K − D − g[∞]) + 1 ≥ 1, since
(K − D − g[∞]) ≥ 0. This means that there is a function F = 0 such that div(F ) + D + g[∞] ≥ 0. Let D1 = div(F ) + D, which is in the same divisor class as D. Then D1 + g[∞] ≥ 0 and deg(D1 ) = 0. Since adding a multiple of [∞] to D1 makes all coefficients nonnegative, and since deg(D1 ) = 0, it follows easily that the only point in D1 with negative coefficients is [∞] and that there are at most g other points in the sum. If D1 contains both [P ] and [w(P )] for some P , then subtracting an appropriate multiple of the principal divisor [P ]+[w(P )]−2[∞] removes either [P ] or [w(P )] from D1 and leaves the other with a nonnegative coefficient. Therefore, we may assume that D1 is reduced, and hence D1 is the required divisor. We now show that D1 is unique. Suppose D − D1 = div(F ) and D − D2 = div(G) with both D1 and D2 reduced. Then D1 + w(D2 ) = D + w(D) − div(F ) − w(div(G)), which is principal, since D + w(D) is principal (Proposition 13.3) and w applied to a principal divisor yields a principal divisor (Exercise 13.4). Write D1 + w(D2 ) = div(H). Then     div(H) + 2g[∞] = D1 + g[∞] + w D2 + g[∞] ≥ 0, so H ∈ L(2g[∞]) (see Section 11.5). The Riemann-Roch theorem says that
(2g[∞]) −
(K − 2g[∞]) = 2g − g + 1 = g + 1. Since deg(K − 2g[∞]) = −2 < 0 by Corollary 11.16, we have
(K − 2g[∞]) = 0 by Proposition 11.14. Therefore,
(2g[∞]) = g + 1. Since xj ∈ L(2j[∞]), the set {1, x, x2 , . . . , xg } gives g + 1 functions in L(2g[∞]). They are linearly independent since they have poles of distinct orders. Therefore, they form a basis of L(2g[∞]). This means that every element can be written as a polynomial in x of degree at most g. We conclude that D1 + w(D2 ) = div(H), where H is a polynomial in x. As we showed earlier, this means that  D1 + w(D2 ) = cj ([Pj ] + [w(Pj )] − 2[∞]) j

SECTION 13.2 DIVISORS

415

for some points Pj and some integers cj . Since D1 and w(D2 ) are reduced, [Pj ] occurs in one of D1 and w(D2 ), and [w(Pj )] occurs in the other. By switching the names of Pj and w(Pj ), if necessary, we may assume that D1 =



([Pj ] − [∞])

and

w(D2 ) =

j



([w(Pj )] − [∞]).

j

This implies that D1 = D2 , as desired. We refer to elements of the group of divisors of degree 0 modulo principal divisors as divisor classes of degree 0. The set of divisor classes of degree 0 can be given the structure of an algebraic variety, called the Jacobian variety J of C. Over the complex numbers, the Jacobian has the structure of a g-dimensional complex torus Cg /L, where L is a lattice in g-dimensional complex space (the case g = 1 is the case of elliptic curves treated in Chapter 9). The addition of divisor classes corresponds to addition of points in Cg /L. Let P1 , P2 be points on C. Since [P1 ] − [∞] and [P2 ] − [∞] are reduced, the uniqueness part of Proposition 13.6 implies that these two divisors are not equivalent modulo principal divisors. Therefore, the map C −→ J P −→ [P ] − [∞] gives an injective mapping of C into its Jacobian. In the case of elliptic curves, this is an isomorphism (Corollary 11.4). THEOREM 13.7 There is a one-to-one correspondence between divisor classes of degree 0 on C and pairs (U (x), V (x)) of polynomials satisfying 1. U is monic. 2. deg V < deg U ≤ g. 3. V 2 − f (x) is a multiple of U . PROOF By Proposition 13.6, every divisor class of degree 0 is represented by a unique reduced divisor. By Theorem 13.5, these divisors are in one-toone correspondence with the pairs (U, V ) as in the statement of the present theorem. REMARK 13.8 The pair (U, V ) is called the Mumford representation of the corresponding divisor class. In many situations, it is easier to work with the Mumford representations than directly with the divisor classes. In the next

416

CHAPTER 13 HYPERELLIPTIC CURVES

section, we describe an algorithm that produces the Mumford representation for the sum of two divisor classes of degree 0. If we start with a divisor of degree 0 where [∞] is the only point with a negative coefficient, then it is easy to find a semi-reduced divisor in the same divisor class; namely, we remove divisors of suitable polynomials in x. However, the proof of Proposition 13.6 does not immediately give an algorithm for changing the semi-reduced divisor to the reduced divisor in the same divisor class. Nevertheless, if we work with the pair (U, V ) associated to the semi-reduced divisor, there is a straightforward procedure that produces the pair corresponding to the reduced divisor. THEOREM 13.9 (Reduction Procedure) Let (U, V ) be a pair representing a semi-reduced divisor D of degree 0. Do the following: ˜ = (f − V 2 )/U . 1. Let U ˜ ) with deg(V˜ ) < deg U ˜. 2. Let V˜ ≡ −V (mod U ˜ and V = V˜ . 3. Let U = U 4. Multiply U by a constant to make U monic. 5. If deg(U ) > g, go back to step 1. Otherwise, continue. 6. Output (U, V ). The reduction procedure terminates, and the output is the pair representing the reduced divisor in the divisor class of D. PROOF The divisor of U (x) is D + w(D). The divisor of y − V (x) is D + E, where E has the form j ej ([Qj ] − [∞]) for some points Qj and some coefficients ej ≥ 0. The divisor of y + V (x) is w(D + E). Since ˜ = f − V 2 = (y + V )(y − V ), UU we have ˜ ) = div(U ) + div(U ˜ ) = D + E + w(D + E). D + w(D) + div(U Therefore, ˜ ) = E + w(E). div(U Since div(y + V ) = w(D) + w(E),   ˜ ), div(y + V ) = w(E) gcd div(U

(13.3)

(13.4)

SECTION 13.3 CANTOR’S ALGORITHM

417

(as remarked earlier, a divisor of the form div(y + V ) is semi-reduced, so it cannot contain contributions from both E and w(E)). But ˜ ), D − div(y − V ) = −E = w(E) − div(U ˜ , V˜ ) represents so w(E) is in the same divisor class as D. We claim that (U ˜ w(E). By (13.3), the degree of U equals ej , the number of summands ˜ ), Theorem 13.5 implies that (U ˜ , V˜ ) in E. Since V˜ 2 ≡ (−V )2 ≡ f (mod U represents a divisor. By (13.4), it represents w(E). Finally, suppose deg(U ) ≥ g + 1. Then deg(f ) < 2 deg(U ) and deg(V 2 ) < ˜) < ˜ ) = deg(f −V 2 ) < 2 deg(U ). Therefore, deg(U 2 deg(U ), so deg(U )+deg(U deg(U ). This means that the degree decreases at every iteration of steps (1) through (4) until we obtain a polynomial of degree at most g. At this point, the corresponding divisor is reduced and we are done.

13.3 Cantor’s Algorithm Although very useful from a theoretical point of view, the description of the points of the Jacobian J in terms of divisor classes of degree 0 is not very useful from a computational point of view. On the other hand, the Mumford representation gives a very concrete representation of points of J. In this section, we present an algorithm due to David Cantor [22] for adding divisor classes that are given by their Mumford representations. The algorithm has its origins in Gauss’s theory of composition of quadratic forms. THEOREM 13.10 (Cantor’s algorithm) Let D1 and D2 be divisors of degree 0, whose classes correspond to pairs (U1 , V1 ) and (U2 , V2 ), as in Theorem 13.7. 1. Let d = gcd(U1 , U2 , V1 + V2 ). Find polynomials h1 , h2 , h3 such that d = U1 h1 + U2 h2 + (V1 + V2 )h3 . 2. Let V0 = (U1 V2 h1 + U2 V1 h2 + (V1 V2 + f )h3 ) /d. 3. Let U = U1 U2 /d2 and V ≡ V0 (mod U ) with deg V < deg U . ˜ = (f − V 2 )/U and V˜ ≡ −V (mod U ˜ ), with deg(V˜ ) < deg U ˜. 4. Let U ˜ and V = V˜ . 5. Let U = U 6. Multiply U by a constant to make U monic. 7. If deg(U ) > g, go back to step 4. Otherwise, continue.

418

CHAPTER 13 HYPERELLIPTIC CURVES

8. Output (U, V ). The pair (U, V ) is the Mumford representation of the divisor class of D1 + D2 . PROOF By modifying D1 and D2 by principal divisors, we may assume that Di = gcd(div(Ui ), div(y −Vi )), for i = 1, 2. The algorithm consists of two parts. The first part, which is steps (1), (2), and (3), constructs a pair (U, V ). It essentially corresponds to D1 +D2 , but terms of the form [P ]+[w(P )]−2[∞] need to be removed. This is the role of the polynomial d(x). The second part, steps (4) through (7), lowers the degree of U (x) so that deg U (x) ≤ g. First, we need to check that V0 in step (2) is a polynomial. Since U1 , U2 are multiples of d, it remains to show that V1 V2 + f is a multiple of d. But   V1 V2 + f = V1 (V1 + V2 ) + f − V12 ≡ 0 (mod d), since V1 + V2 is a multiple of d and since f − V12 is a multiple of U1 , hence a multiple of d. Therefore, V0 is a polynomial. We now show that gcd (U (x), y − V0 (x)) equals the semi-reduction of D1 + D2 , namely, D1 + D2 with any terms of the form [P ] + [w(P )] − 2[∞] removed. To do so, we need to explain the definition of V0 (x). Consider a point P = (a, b) and let the coefficient of [P ] − [∞] in Di be ri ≥ 0. The functions Ui and y − Vi vanish to order at least ri at P . Therefore, the products U1 U2 ,

(y − V1 )U2 ,

(y − V2 )U1 ,

(y − V1 )(y − V2 ) = f + V1 V2 − (V1 + V2 )y

vanish to order at least r1 + r2 at P . The coefficients of y in the last three functions are U2 , U1 , −(V1 + V2 ), and the polynomial d is the gcd of these. The linear combination for d in step (1) implies that (y − V2 )U1 h1 + (y − V1 )U2 h2 + ((V1 + V2 )y − f − V1 V2 ) h3 = dy − dV0 . Therefore, (y − V0 )d vanishes to order at least r1 + r2 at P . We now need to consider in detail what happens at each point P = (a, b). It is convenient to work with both P and w(P ) = (a, −b) at the same time. For simplicity, let (U, y − V ) denote the divisor gcd(div(U ), div(y − V )). Write (U1 , y − V1 ) = D1 = r1 ([P ] − [∞]) + s1 ([w(P )] − [∞]) + · · · (U2 , y − V2 ) = D2 = r2 ([P ] − [∞]) + s2 ([w(P )] − [∞]) + · · · . Since D1 and D2 are semi-reduced, either r1 = 0 or s1 = 0, and either r2 = 0 or s2 = 0. We need to show that the coefficients of [P ] − [∞] and of [w(P )] − [∞] in the semi-reduction of D1 + D2 match those in (U, y − V0 ), where U is the polynomial obtained in step (3). There are several cases to consider.

SECTION 13.3 CANTOR’S ALGORITHM

419

If r1 = s1 = r2 = s2 = 0, then U (P ) = 0. Therefore, P and w(P ) do not occur in (U, y − V0 ) and they do not occur in D1 + D2 . If some ri or si is positive, we can rename the points and divisors so that r1 > 0, and r1 = Max(r1 , s1 , r2 , s2 ). Then s1 = 0. Henceforth, we assume this is the case. If r2 = s2 = 0, then d(P ) = 0. The order of U at P is the order of U1 at P , which is r1 . Since (y−V0 )d has order at least r1 at P , so does y−V0 . Therefore, (U, y − V0 ) contains r1 ([P ] − [∞]). Since (U, y − V0 ) is semi-reduced, it does not contain [w(P )] − [∞] (except when P = w(P )). Therefore, D1 + D2 and (U, y − V0 ) agree at the terms involving [P ] − [∞] and [wP ] − [∞]. If r2 > 0 and b = 0, then U1 and U2 have simple zeros as polynomials (and double zeros as functions on C) at a by Proposition 13.2. Also, V1 + V2 has a zero at a, so the gcd d has a simple zero at a. Therefore, U = U1 U2 /d2 has no zero at a, so the divisor corresponding to (U, V ) does not contain P . Since U1 (a) = U2 (a) = 0, the divisors D1 and D2 both contain P = (a, 0) = w(P ). By Proposition 13.2, they each contain [P ]−[∞] with coefficient 1. Therefore, D1 + D2 contains 2 ([P ] − [∞]), which is principal and can be removed. The resulting divisor does not contain P . Therefore, (U, y − V0 ) and the semireduction of D1 + D2 agree at terms containing P . From now on, assume that b = 0. If r2 > 0, then s2 = 0. Since V1 (a) = V2 (a) = b = 0, we have V1 + V2 = 0 at P . Therefore, d(P ) = 0. Therefore, the order of U at P is r1 + r2 . As pointed out previously, the order of (y − V0 )d at P is at least r1 + r2 , so the order of y − V0 at P is at least r1 + r2 . Therefore, (U, y − V0 ) contains (r1 + r2 ) ([P ] − [∞]), which matches D1 + D2 . Since (U, y − V0 ) is semi-reduced, it has no terms with w(P ). Neither does D1 + D2 . Finally, suppose s2 > 0. Then r2 = 0. Then y − V1 has order at least r1 at P and y − V2 has order at least s2 at w(P ). Therefore, V2 (a) = −b, so y − V2 takes the value 2b = 0 at P . Since (y + V2 )(y − V2 ) = f − V22 is a multiple of U2 , which has order s2 at P , the order of y + V2 at P is at least s2 . Therefore, the order at P of V1 + V2 = (V1 − y) + (y + V2 ) is at least min(r1 , s2 ) = s2 , by the choice of r1 . It follows that d, which is the gcd of U1 , U2 , and V1 + V2 , has order exactly s2 at P , since this minimum is attained for U2 . The order of U at P is therefore r1 + s2 − 2s2 = r1 − s2 . We know that (y − V0 )d has order at least r1 at P . Similarly, it has order at least s2 at w(P ). Therefore, y − V0 has order at least r1 − s2 at P . If r1 − s2 > 0, then (U, y − V0 ) contains (r1 − s2 ) ([P ] − [∞]). Since it is semi-reduced, it does not contain [w(P )] − [∞]. If r1 − s2 = 0, then U (P ) = 0, so (U, y − V0 ) contains neither P nor w(P ). Therefore, (U, y − V0 ) agrees at P and w(P ) with D1 +D2 −s2 ([P ] + [w(P )] − 2[∞]), hence agrees with the semi-reduction of D1 + D2 . We have therefore proved that (U, y −V0 ) and the semi-reduction of D1 +D2 agree at all terms, so they are equal. Since (U, y − V ) = gcd(U, y − V0 ), this completes the proof that the divisor represented by (U, V ) is in the divisor class of D1 + D2 . Note that we have proved that y − V0 vanishes at least to the order of

420

CHAPTER 13 HYPERELLIPTIC CURVES

vanishing of U at each point (a, V0 (a)). By Proposition 13.4, f − V02 is a multiple of U . Since V ≡ V0 (mod U ), f − V 2 is also a multiple of U , as required. Steps (4) through (7) are the reduction algorithm. Theorem 13.9 says that this process yields the desired reduced divisor. Example 13.1 Consider the curve C : y 2 = x5 − 1 over F3 . Let’s compute  2  x − x + 1, −x + 1 + (x − 1, 0) . We have U1 = x2 − x + 1, U2 = x − 1, V1 + V2 = −x + 1. The gcd of these is 1, and (x2 − x + 1) · 1 + (x − 1) · (−x) + (−x + 1) · 0 = 1, so we may take h1 = 1, h2 = −x, h3 = 0. We obtain U = (x2 − x + 1)(x − 1) = x3 + x2 − x − 1, V ≡ 0 + (x − 1)(−x + 1)(−x) + 0 = x3 + x2 + x ≡ −x + 1

(mod U ).

The reduction procedure yields 5 2 ˜ = (x − 1) − (−x + 1) = x2 − x − 1 U U

and V˜ = x − 1. Therefore,  2    x − x + 1, −x + 1 + (x − 1, 0) = x2 − x − 1, x − 1 .

13.4 The Discrete Logarithm Problem Up to now, we have been working over an algebraically closed field. But now we consider a curve and divisors defined over a finite field Fq . We continue to assume that q is not a power of 2, so we can use (13.2) instead of (13.1). We take f (x) in (13.2) to be a polynomial with coefficients in Fq and with no multiple roots in Fq . Let φ be the q-th power Frobenius map. A divisor D is said to be defined over Fq if φ(D) = D (where φ([P ]) is defined to be [φ(P )] and φ([∞]) = [∞]). This means that φ can permute the summands of D as long as it leaves the overall sum unchanged. A divisor class is said to be defined over Fq if φ(D) − D is a principal divisor for some (equivalently,

SECTION 13.4 THE DISCRETE LOGARITHM PROBLEM

421

all) divisors D in the divisor class. These correspond to the points on the Jacobian variety that are defined over Fq . We denote this set by J(Fq ). Suppose D is a divisor of degree 0 such that φ(D) is in the same divisor class as D. The divisor class of D contains a unique reduced divisor R, and the divisor class of φ(D) contains φ(R) (proof: D −R = div(F ), so φ(D)−φ(R) = div(φ(F ))), and φ(R) is also reduced. The uniqueness implies that R = φ(R). Therefore, the divisor class contains a divisor fixed by φ. The reduced divisor R corresponds to a unique pair (U, V ) of polynomials. The divisor φ(R) corresponds to the pair (U φ , V φ ), where U φ denotes the polynomial obtained by applying φ to the coefficients of U . Since φ(R) = R, we have U φ = U and V φ = V , because the pair corresponding to a divisor is unique. It follows that a divisor class that is mapped to itself by φ corresponds to a unique pair (U, V ) of polynomials, with U, V ∈ Fq [x] (= the set of polynomials with coefficients in Fq ). Conversely, if U, V ∈ Fq [x], then gcd (div(U ), div(y − V )) is fixed by φ, hence yields a divisor class fixed by φ. We have proved the following. PROPOSITION 13.11 There is a one-to-one correspondence between J(Fq ) and pairs (U, V ) of polynomials with coefficients in Fq satisfying 1. U is monic. 2. deg V < deg U ≤ g. 3. V 2 − f (x) is a multiple of U . Since there are only finitely many polynomials U ∈ Fq [x] of degree at most g, there are only finitely many divisor classes of degree 0 that are defined over Fq . In other words, J(Fq ) is finite. It is easy to see that it is closed under addition, so it forms a group. Alternatively, Cantor’s algorithm clearly takes pairs of polynomials defined over Fq to pairs defined over Fq . In fact, we could ignore the geometry completely and consider a group whose elements are suitable pairs of polynomials and whose law of composition is given by Cantor’s algorithm. This defines a group (although the associativity might be difficult to prove without the geometric interpretation). Example 13.2 Let’s consider the case where deg U = 1. Then U = x − a for some a, and V = b for some b ∈ Fq . Also, f (x) ≡ f (a) (mod x − a), so b2 = V 2 ≡ f (a), hence b2 = f (a). This means that (a, b) is a point on the curve. The divisor class for (U, V ) is defined over Fq if and only if the polynomials x − a and b have coefficients in Fq , which happens if and only if the point (a, b) has coordinates in Fq .

422

CHAPTER 13 HYPERELLIPTIC CURVES

Example 13.3 Let D = gcd(div(U ), div(y − V )), which corresponds to (U, V ), and suppose that deg U = 2 where U is an irreducible polynomial in Fq [x]. We can factor U as (x − a1 )(x − a2 ) over Fq2 . Then D = [(a1 , V (a1 ))] + [a2 , V (a2 ))] − 2[∞]. Since a1 , a2 ∈ Fq , the points (ai , V (ai )) are not defined over Fq . However, φ interchanges [(a1 , V (a1 ))] and [(a2 , V (a2 ))], hence φ(D) = D. Example 13.4 Let’s consider the curve C : y 2 = x5 − 1 over F3 . The points in C(F3 ) are {∞, (1, 0), (−1, 1), (−1, −1)}. Denote the elements of F9 as a + bi with a, b ∈ {−1, 0, 1} and i = elements of C(F9 ) are ∞,

(1, 0),

(−1, 1),

(−1, −1),

(−1 + i, −1 − i),

(−1 + i, 1 + i),

(0, i),

(−1 − i, 1 − i),

√

−1. The

(0, −i), (−1 − i, −1 + i).

The pairs of polynomials (U, V ) corresponding to reduced divisors are D ≡ (x2 − 1, x − 1),

2D ≡ (x2 − x + 1, x − 1),

4D ≡ (x + 1, −1), 2

5D ≡ (x − 1, 0),

7D ≡ (x − x − 1, −x + 1), 2

3D ≡ (x2 − x − 1, x − 1), 6D ≡ (x + 1, 1),

2

8D ≡ (x − x + 1, −x + 1),

9D ≡ (x − 1, −x + 1),

10D ≡ (1, 0)

(where “≡” denotes congruence modulo principal divisors). These can be found by exhaustively listing all polynomials U of degree at most 2 with coefficients in F3 , and finding solutions to V 2 ≡ x5 − 1 (mod U ) when they exist. The pair (x + 1, 1) corresponds to the divisor gcd (div(x + 1), div(y − 1)) = [(−1, 1)] − [∞]. The pair (x2 − x − 1, x − 1) corresponds to the divisor [(−1 + i, 1 + i)] + [(−1 − i, 1 − i)] − 2[∞]. This can be seen as follows. The roots of x2 − x − 1 are x = −1 + i and x = −1 − i. The polynomial V = x − 1 tells us that the y-coordinates satisfy y = x − 1, which yields y = 1 + i and y = 1 − i. The points (−1 + i, 1 + i) and (−1 − i, 1 − i) are not defined over F3 individually. However, they are interchanged by the Frobenius map, which maps i → i3 = −i, so the divisor is left unchanged by Frobenius and is therefore defined over F3 . Similarly, the pair (x2 + 2x + 2, 2x + 1) corresponds to the divisor [(−1 + i, −1 − i)] + [(−1 − i, −1 + i)] − 2[∞]. The divisor [(0, i)] + [(0, −i)] − 2[∞] is also defined over F3 . What does it correspond to? Observe that it is not reduced since w(0, i) = (0, −i). Therefore, it must be reduced first. Since it is of the form [P ] + [w(P )] − 2[∞], it is principal, so

SECTION 13.4 THE DISCRETE LOGARITHM PROBLEM

423

it reduces to the trivial divisor, corresponding to the pair (1, 0). In fact, it is the divisor of the function x on C. Koblitz [62] proposed the discrete logarithm problem in groups of the form J(Fq ) as the basis for cryptosystems such as those in Chapter 6. The first question is how large is J(Fq )? It was proved by Weil, as a generalization of Hasse’s Theorem, that √ √ 2g 2g ( q − 1) ≤ #J(Fq ) ≤ ( q + 1) . Therefore, the “square root” attacks such as Baby Step, Giant Step and the ρ and λ methods from Chapter 5 work in time around q g/2 , which is approximately the square root of the order of the group. However, for Jacobians of hyperelliptic curves, there is an index calculus that is faster than the square root algorithms when g ≥ 3. (On the other hand, for g = 2, it is possible that the corresponding cryptosystems are more secure than those for elliptic curves.) We now describe the method. Recall that in the index calculus over the integers mod p, we needed the notions of B-smoothness and of factorization into small primes. The following result lets us define a similar notion for divisors. PROPOSITION 13.12 Let (U, V ) be a pair of polynomials in Fq [x] representing a semi-reduced divisor. Factor U (x) = i Ui (x) into polynomials in Fq [x]. Let Vi ≡ V (mod Ui ) with deg Vi < deg Ui . Then (Ui , Vi ) represents a semi-reduced divisor Di and i Di = D. If D is reduced, so is each Di . PROOF Since Vi2 ≡ V 2 ≡ f (mod Ui ), the pair (Ui , Vi ) represents a divisor, so all that needs to be proved is that i Di = D.  Write Ui (x) = j (x − aj )cj with aj ∈ Fq . Then gcd (div(Ui ), div(y − Vi )) =



cj ([Pj ] − [∞]) ,

j

where Pj = (aj , Vj (aj )). But Vi = V + Ui ki for some polynomial ki , so Vi (aj ) = V (aj ) + Ui (aj )ki (aj ) = V (aj ). Therefore, the points that appear in the divisors Di for the pairs (Ui , Vi ) are those that appear in the divisor for (U, V ). The multiplicities of the points  in the sum of the Di add up to those in D since i Ui = U . Therefore, i Di = D. The degree of a semi-reduced divisor is the degree of the corresponding polynomial U . We call a semi-reduced divisor prime if it has degree at least

424

CHAPTER 13 HYPERELLIPTIC CURVES

1, it is defined over Fq , and it cannot be written as a sum of semi-reduced divisors of smaller degree, each defined over Fq . By the proposition, this is equivalent to U being an irreducible polynomial in Fq [x]. We say that a semi-reduced divisor is B-smooth if it is the sum of prime divisors of degree ≤ B. In the case of elliptic curves, this concept is not useful, since each rational divisor of degree 0 is in the same divisor class as a 1-smooth divisor. See Exercise 13.8. However, it turns out to be quite useful for larger g. Suppose we have divisor classes represented by divisors D1 and D2 , and we are given that D2 is in the same class as kD1 for some integer k. The discrete logarithm problem is to find k. The first index calculus attack on the discrete logarithm problem for hyperelliptic curves was given by Adleman, DeMarrais, and Huang [3]. Various refinements have been proposed. The variation we present below is essentially due to Harley and Gaudry. Improvements by Th´eriault [120] yield an algorithm whose running time is bounded by a constant (depending on the arbitrarily small number ) times g 5 q 2+−(4/(2g+1)) . For g ≥ 3, this is faster than the square root algorithms when q is large. Therefore, the best curves for cryptographic applications are probably those with g = 2. We assume that D1 , D2 are reduced and represented by (Ui , Vi ) for i = 1, 2. Fix a bound B (often, B = 1). List all the irreducible polynomials T (x) ∈ Fq [x] of degree ≤ B. For each such polynomial T , find a polynomial W (x) such that W 2 ≡ f (mod T ), if one exists (see Exercise 13.11). The resulting list of polynomials (Tj , Wj ), 1 ≤ j ≤ s, is the factor base. Note that we include only one of (T, W ) and (T, −W ), since they are inverses of each other (Exercise 13.5). Let N = #J(Fq ). We assume that N is known since this is the case in most cryptographic algorithms. However, there are index calculus methods that determine N . See [3]. The algorithm proceeds as follows: 1. Start with a “matrix” M with no rows and s columns. 2. Choose random integers m and n. 3. Compute the pair (U, V ) for the sum mD1 + nD2 using Cantor’s algorithm. 4. If U does not factor into irreducible of degree ≤ B, go back  polynomials to Step 2. Otherwise, let U = Tici be the factorization of U into irreducible polynomials from the factor base. 5. The factorization in Step 4 yields a decomposition mD1 + nD2 ≡

s  i=1

(±ci )Di

(mod principal divisors)

SECTION 13.4 THE DISCRETE LOGARITHM PROBLEM

425

where Di is the divisor corresponding to (Ti , Wi ) and where +ci is chosen if Wi ≡ V (mod Ti ) and −ci is chosen if −Wi ≡ V (mod Ti ). Append the row r = (±c1 , . . . , ±cs ) to the matrix M . 6. If the number r of rows of M is less than s, return to Step 2. If r ≥ s, continue to step 7. 7. Let ri denote the ith row of M . Find a relation di ri ≡ 0 (mod N ) among the rows of M , with di ∈ Z. 8. Let m of m, n from Step 2 that yield the row ri . Let i , ni be the values m0 = di mi and n0 = di ni . 9. If gcd(m0 , N ) = 1, let k ≡ −n0 m−1 (mod N ). 0 10. If gcd(m0 , N ) = 1, continue to do Steps 2 through 9 and find more relations among the rows until a relation is found that yields gcd(m0 , N ) = 1. 11. Output k. REMARK 13.13

What the algorithm does is compute relations m1 D1 + n1 D2 ≡ c11 D1 + · · · + c1s Ds ··· ··· ··· mr D1 + nr D2 ≡ cr1 D1 + · · · + crs Ds

Adding the appropriate rows corresponding to a relation among the rows yields m0 D1 + n0 D2 ≡ 0 · D1 + · · · + 0 · Ds . Dividing by −m0 yields D1 ≡ −(n0 /m0 )D2 . REMARK 13.14 The Pollard ρ method (Section 5.2.2) also looks at sums mD1 + nD2 and looks for a match between the divisors obtained for two different pairs (m, n). This corresponds to a relation of two rows being equal in the present method. The possibility of much more general relations among the rows makes the present method much faster than the ρ method. In the ρ method, the random integers m, n are chosen by a type of random walk. This is also a good way to proceed in the present method. Example 13.5 Consider the curve C : y 2 = x5 − 1 over F3 . Let D1 = (x2 − 1, x − 1) and D2 = (x2 − x − 1, −x + 1). The problem is to find k such that D2 = kD1 .

426

CHAPTER 13 HYPERELLIPTIC CURVES

Take (x − 1, 0) and (x + 1, −1) as the factor base. Calculations yield 3D1 + 5D2 = ((x + 1)2 , −x + 1) = 2(x + 1, −1) 4D1 + 3D2 = (x − 1, 0) D1 + 4D2 = (x2 − 1, −x + 1) = (x − 1, 0) + (x + 1, −1). If we take (first row) + 2(second row) − 2(third row), we obtain 9D1 + 3D2 = 0. Since the group J(F3 ) has order 10 (see Example 13.4), multiplication by 3 yields 7D1 = D2 .

Exercises 13.1 Let C be the curve in Example 13.4. Use Cantor’s algorithm to show that (x, i) + (x, −i) = (1, 0). 13.2 Let E be the elliptic curve y 2 = x3 − 2. (a) Use Cantor’s algorithm to compute the sum of pairs (x − 3, 5) + (x − 3, 5). (b) Compute the sum (3, 5) + (3, 5) on E. Compare with (a). More generally, see Exercise 13.9 below. 13.3 Let C be the hyperelliptic curve y 2 = x5 − 5x3 + 4x + 1. (a) Show that div(y − 1) = [(−1, 1)] + [(−2, 1)] + [(1, 1)] + [(2, 1)] + [(0, 1)] − 5[∞] (b) Show that div(x) = [(0, 1)] + [(0, −1)] − 2[∞]. (c) Find a reduced divisor equivalent modulo principal divisors to [(−1, 1)] + [(−1, −1)] + [(1, 1)] + [(2, 1)] + [(0, 1)] − 5[∞]. 13.4 (a) Let F (x, y) be a function on a hyperelliptic curve and let G(x, y) = F (x, −y). What is the relation between div(F ) and div(G)? (b) Let D be a principal divisor. Show that w(D) is also a principal divisor. Give two proofs, one using (a) and the second using the fact that D + w(D) is principal. 13.5 Let (U, V ) be the pair corresponding to a semi-reduced divisor D. Show that (U, −V ) is the pair for w(D).

EXERCISES

427

13.6 Let (U, V ) be the pair corresponding to a semi-reduced divisor. (a) Use Cantor’s algorithm to show that (U, V ) + (1, 0) = (U, V ). (b) Use Cantor’s algorithm to show that (U, V ) + (U, −V ) = (1, 0). 13.7 Let C be a hyperelliptic curve and let D be a divisor of degree 0. (a) Show that if 3D is principal then 2D is equivalent to w(D) mod principal divisors. (b) Let P = ∞ be a point on C. Show that if the genus of C is at least 2 then 3 ([P ] − [∞]) is not principal. (Hint: Use the uniqueness part of Proposition 13.6.) This shows that the image of C in its Jacobian intersects the 3torsion on the Jacobian trivially. 13.8 Let E be an elliptic curve defined over a field K and let (U, V ) be a pair of polynomials with coefficients in K corresponding to a semi-reduced divisor class. (a) Show that the reduction algorithm applied to (U, V ) yields either the pair (1, 0) or a pair (x − a, b), with a, b ∈ K. (b) Show that (1, 0) corresponds to the divisor 0, and (x − a, b) corresponds to the divisor [(a, b)] − [∞]. 13.9 Let E be an elliptic curve, regarded as a hyperelliptic curve. Show that Cantor’s algorithm corresponds to addition of points on E by showing that (x−a1 , b1 )+(x−a2 , b2 ) yields (x−a3 , b3 ), where (a1 , b1 )+(a2 , b2 ) = (a3 , b3 ). 13.10 Let f1 (T ), . . . , fn (T ) be polynomials (with coefficients in some field K) that are pairwise without common factors, and let a1 (T ), . . . , an (T ) be arbitrary polynomials with coefficients in K. For each i, let Fi (T ) =
j
=i fj . Since gcd(fi , Fi ) = 1, there exists gi (T ) with gi (T )Fi (T ) ≡ 1 (mod fi ) (this can be proved using the Euclidean algorithm). Let A(T ) = a1 (T )g1 (T )F1 (T ) + · · · + an (T )gn (T )Fn (T ). Show that A ≡ ai (mod fi ) for all i. (Remark: This is the Chinese Remainder Theorem for polynomials.) 13.11 Let q be a power of an odd prime. Let U (T ) be an irreducible polynomial in Fq [T ] of degree n. Then Fq [T ]/(U (T )) is a field with q n elements. Let f (T ) ∈ Fq [T ] with f (T ) ≡ 0 (mod U (T )). Show that there exists n V (T ) ∈ Fq [T ] such that V 2 ≡ f (mod U ) if and only if f (q −1)/2 ≡ 1 (mod U ). (Hint: The multiplicative group of a finite field is cyclic.) (Remark. There are algorithms for finding square roots in finite fields. See [25].)

Chapter 14 Zeta Functions

14.1 Elliptic Curves over Finite Fields Let E be an elliptic curve over a finite field Fq . Let Nn = #E(Fqn ) be the number of points on E over the field Fqn . The Z-function of E is defined to be
∞   Nn Tn . ZE (T ) = exp n n=1  n Here exp(t) = t /n! is the usual exponential function. The Z-function encodes certain arithmetic information about E as the coefficients of a generating function. The presence of the exponential function is justified by the simple form for ZE (T ) in the following result. PROPOSITION 14.1 Let E be an elliptic curve defined over Fq , and let #E(Fq ) = q + 1 − a. Then

ZE (T ) =

PROOF

qT 2 − aT + 1 . (1 − T )(1 − qT )

Factor X 2 − aX + q = (X − α)(X − β). Theorem 4.12 says that Nn = q n + 1 − α n − β n . 429

430

CHAPTER 14 ZETA FUNCTIONS

Therefore, using the expansion − log(1 − t) =
∞   Nn n T ZE (T ) = exp n n=1 
∞ n  T (q n + 1 − αn − β n ) = exp n n=1



tn /n, we have

= exp (− log(1 − qT ) − log(1 − T ) + log(1 − αT ) + log(1 − βT )) =

(1 − αT )(1 − βT ) (1 − T )(1 − qT )

=

qT 2 − aT + 1 . (1 − T )(1 − qT )

Note that the numerator of ZE (T ) is the characteristic polynomial of the Frobenius endomorphism, as in Chapter 4, with the coefficients in reverse order. A function ZC (T ) can be defined in a similar way for any curve C over a finite field, and, more generally, for any variety over a finite field. It is always a rational function (proved by E. Artin and F. K. Schmidt for curves and by Dwork for varieties). The zeta function of E is defined to be ζE (s) = ZE (q −s ), where s is a complex variable. As we’ll see below, ζE (s) can be regarded as an analogue of the classical Riemann zeta function ζ(s) =

∞  1 . ns n=1

One of the important properties of the Riemann zeta function is that it satisfies a functional equation relating the values at s and 1 − s: π −s/2 Γ(s/2)ζ(s) = π −(1−s)/2 Γ((1 − s)/2)ζ(1 − s). A famous conjecture for ζ(s) is the Riemann Hypothesis, which predicts that if ζ(s) = 0 with 0 ≤ (s) ≤ 1 then (s) = 1/2 (there are also the “trivial” zeros at the negative even integers). The elliptic curve zeta function ζE (s) also satisfies a functional equation, and the analogue of the Riemann Hypothesis holds.

SECTION 14.1 ELLIPTIC CURVES OVER FINITE FIELDS

431

THEOREM 14.2 Let E be an elliptic curve defined over a finite field. 1. ζE (s) = ζE (1 − s) 2. If ζE (s) = 0, then (s) = 1/2. PROOF tion 14.1:

The proof of the first statement follows easily from Proposi-

ζE (s) =

q 1−2s − aq −s + 1 (1 − q −s )(1 − q 1−s )

=

1 − aq s−1 + q −1+2s (q s − 1)(q s−1 − 1)

= ζE (1 − s). Since the numerator of ZE (T ) is (1 − αT )(1 − βT ), we have ζE (s) = 0 ⇐⇒ q s = α or β. By the quadratic formula, α, β =

a±

 a2 − 4q . 2

Hasse’s theorem (Theorem 4.2) says that √ |a| ≤ 2 q, hence a2 − 4q ≤ 0. Therefore, α and β are complex conjugates of each other, and √ |α| = |β| = q. If q s = α or β, then

q (s) = |q s | =

√

q.

Therefore, (s) = 1/2. There are infinitely many solutions to q s = α. However, if s0 is one such solution, all others are of the form s0 + 2πin/ log q with n ∈ Z. A similar situation holds for β. If C is a curve, or a variety, over a finite field, then an analogue of Theorem 14.2 holds. For curves, the functional equation was proved by E. Artin and F. K. Schmidt, and the Riemann Hypothesis was proved by Weil in the 1940s. In 1949, Weil announced what became known as the Weil conjectures, which predicted that analogues of Proposition 14.1 and Theorem 14.2 hold for

432

CHAPTER 14 ZETA FUNCTIONS

varieties over finite fields. The functional equation was proved in the 1960s by M. Artin, Grothendieck, and Verdier, and the analogue of the Riemann Hypothesis was proved by Deligne in 1973. Much of Grothendieck’s algebraic geometry was developed for the purpose of proving these conjectures. Finally, we show how ζE (s) can be defined in a way similar to the Riemann zeta function. Recall that the Riemann zeta function has the Euler product expansion ζ(s) =

 p

1 1− s p

−1

when (s) > 1. The product is over the prime numbers. We obtain ζE (s) if we replace the primes p by points on E. Consider a point P ∈ E(Fq ). Define deg(P ) to be the smallest n such that P ∈ E(Fqn ). The Frobenius map φq acts on P , and it is not difficult to show that the set SP = {P, φq (P ), φ2q (P ), . . . , φn−1 (P )} q has exactly n = deg(P ) elements and that φnq (P ) = P . Each of the points in SP also has degree n. PROPOSITION 14.3 Let E be an elliptic curve over Fq . Then  ζE (s) = 1− SP

−1

1 q s deg(P )

,

where the product is over the points P ∈ E(Fq ), but we take only one point from each set SP . PROOF If deg(P ) = m, then P and all the other points in SP have coordinates in Fqm . Since Fqm ⊆ Fqn if and only if m|n, we see that SP contributes m points to Nn = #E(Fqn ) if and only if m|n, and otherwise it contributes no points to Nn . Therefore, Nn =





m|n

SP deg(P )=m

m.

SECTION 14.2 ELLIPTIC CURVES OVER Q

433

Substituting this into the definition of Z(T ), we obtain ∞  Nn n T log Z(T ) = n n=1

=

∞  1 n T n n=1 m|n

=

=

∞  ∞  1 mj j=1 m=1 ∞   1 j=1 SP

=−



j

Tj



m

SP deg(P )=m



mT mj

(where mj = n)

SP deg(P )=m

deg(P )

log(1 − T deg(P ) ).

SP

Let T = q −s and exponentiate to obtain the result.

14.2 Elliptic Curves over Q Let E be an elliptic curve defined over Q. By changing variables if necessary, we may assume that E is defined by y 2 = x3 + Ax + B with A, B ∈ Z. For a prime p, we can reduce the equation y 2 = x3 + Ax + B mod p. If E mod p is an elliptic curve, then we say that E has good reduction mod p. This happens for all but finitely many primes. For each such p, we have #E(Fp ) = p + 1 − ap , as in Section 14.1. The L-function of E is defined to be approximately the Euler product 

−1 1 − ap p−s + p1−2s . good p

This definition is good enough for many purposes. However, for completeness, we say a few words below about what happens at the primes of bad reduction. The factor 1−ap p−s +p1−2s perhaps seems to be rather artificially constructed. However, it is just the numerator of the zeta function for E mod p, as in Section 14.1. It might seem more natural to use the whole mod p zeta function, but the factors arising from the denominator yield the Riemann zeta function (with a few factors removed) evaluated at s and at s + 1. Since the presence of the zeta function would complicate matters, the denominators are omitted in the definition of LE (s).

434

CHAPTER 14 ZETA FUNCTIONS

For the primes where there is bad reduction, the cubic x3 + Ax + B has multiple roots mod p. If it has a triple root, we say that E has additive reduction mod p. If it has a double root mod p, it has multiplicative reduction. Moreover, if the slopes of the tangent lines at the singular point (see Theorem 2.31) are in Fp , we say that E has split multiplicative reduction mod p. Otherwise, it has nonsplit multiplicative reduction. To treat the primes p = 2 and p = 3, we need to use the general Weierstrass form for E. For simplicity, we have ignored these primes in the preceding discussion. However, in the example below, we’ll include them. There are many possible equations for E with A, B ∈ Z. We assume that A, B are chosen so that the reduction properties of E are as good as possible. In other words, we assume that A and B are chosen so that the cubic has the largest obtainable number of distinct roots mod p, and the power of p in the discriminant 4A3 + 27B 2 is as small as possible, for each p. It can be shown that there is such a choice of A, B. Such an equation is called a minimal Weierstrass equation for E. Example 14.1 Suppose we start with E given by the equation y 2 = x3 − 270000x + 128250000. The discriminant of the cubic is −28 312 512 11, so E has good reduction except possibly at 2, 3, 5, 11. The change of variables x = 25x1 ,

y = 125y1

transforms the equation into y12 = x31 − 432x1 + 8208. The discriminant of the cubic is −28 312 11, so E also has good reduction at 5. This is as far as we can go with the standard Weierstrass model. To treat 2 and 3 we need to allow generalized Weierstrass equations. The change of variables x1 = 9x2 − 12, y1 = 27y2 changes the equation to

y22 = x32 − 4x22 + 16.

The discriminant of the cubic is −28 11, so E has good reduction at 3. Since any change of variables can be shown to change the discriminant by a square, this is the best we can do, except possibly at the prime 2. The change of variables x2 = 4x3 , y2 = 8y3 + 4 changes the equation of E to y32 + y3 = x33 − x23 .

SECTION 14.2 ELLIPTIC CURVES OVER Q

435

This is nonsingular at 2 (since the partial derivative with respect to y is 2y + 1 ≡ 1 ≡ 0 (mod 2)). Therefore, E has good reduction at 2. We conclude that E has good reduction at all primes except p = 11, where it has bad reduction. The equation y32 +y 3 = x33 −x23 is the minimal Weierstrass equation for E. Let’s analyze the situation at 11 more closely. The polynomial in x2 factors as x32 − 4x22 + 16 = (x2 + 1)2 (x2 + 5). Therefore, E has multiplicative reduction at 11. The method of Section 2.10 shows that the slopes of the tangent lines at the singular point (x2 , y2 ) = (−1, 0) are ±2, which lie in F11 . Therefore, E has split multiplicative reduction at 11. We now give the full definition of the L-series of E. For a prime p of bad reduction, define ⎧ ⎨ 0 if E has additive reduction at p 1 if E has split multiplicative reduction at p ap = ⎩ −1 if E has nonsplit multiplicative reduction at p. The numbers ap for primes of good reduction are those given above: ap = p + 1 − #E(Fp ). Then the L-function of E is the Euler product 

−1 

−1 1 − ap p−s 1 − ap p−s + p1−2s . LE (s) = bad p

good p

√ The estimate |ap | < 2 p easily implies that the product converges for (s) > 3/2 (see Exercise 14.3). Each good factor can be expanded in the form (1 − ap p−s + p1−2s )−1 = 1 + ap p−s + ap2 p−2s + · · · , where the ap on the left equals the ap on the right (so this is not bad notation) and ap2 = a2p − p.

(14.1)

The product over all p yields an expression LE (s) =

∞ 

an n−s .

n=1

If n =

 j

e

pj j , then an =

 j

apej . j

(14.2)

436

CHAPTER 14 ZETA FUNCTIONS

This series for LE (s) converges for (s) > 3/2. It is natural to ask whether LE (s) has an analytic continuation to all of C and a functional equation, as is the case with the Riemann zeta function. As we’ll discuss below, the answer to these questions is yes. However, the proof is much too deep to be included in this book (but see Chapter 15 for a discussion of the proof). To study the analytic properties of LE (s), we introduce a new function. Let τ ∈ H, the upper half of the complex plane, as in Chapter 9, and let q = e2πiτ . (This is the standard notation; there should be no possibility of confusion with the q for finite fields of Chapter 4.) Define fE (τ ) =

∞ 

an q n .

n=1

This is simply a generating function that encodes the number of points on E mod the various primes. It converges for τ ∈ H and satisfies some amazing properties. Let N be a positive integer and define      ab  ∈ SL2 (Z)  c ≡ 0 (mod N ) . Γ0 (N ) = cd Then Γ0 (N ) is a subgroup of SL2 (Z). The following result was conjectured by Shimura and has been known by various names, for example, the Weil conjecture, the Taniyama-ShimuraWeil conjecture, and the Taniyama-Shimura conjecture. All three mathematicians played a role in its history. THEOREM 14.4 (Breuil, Conrad, Diamond, Taylor, Wiles) Let E be an elliptic curve defined over Q. There exists an integer N such that, for all τ ∈ H, 1.

 fE

2.

aτ + b cτ + d



= (cτ + d)2 fE (τ )

 for all

ab cd

 ∈ Γ0 (N )

fE (−1/(N τ )) = ±N τ 2 fE (τ ).

For a sketch of the proof of this result, see Chapter 15. The theorem (if we include statements about the behavior at cusps on the real axis) says that fE (τ ) is a modular form (in fact, a cusp form; see Section 15.2) of weight 2 and level N . The smallest possible N is called the conductor of E. A prime p divides this N if and only if E has bad reduction at p. When E has multiplicative reduction, p divides N only to the first power. If E has additive reduction and p > 3, then p2 is the exact power of p dividing N . The formulas for p = 2 and 3 are slightly more complicated in this case. See [117].

SECTION 14.2 ELLIPTIC CURVES OVER Q

437

The transformation law in (1) can be rewritten as     aτ + b aτ + b fE d = fE (τ ) dτ cτ + d cτ + d (this is bad notation: d represents both an integer and the differentiation operator; it should be clear which is which). Therefore, fE (τ ) dτ is a differential that is invariant under the action of Γ0 (N ). Once we have the relation (1), the second relation of the theorem is perhaps not as surprising. Every function satisfying (1) is a sum of two functions satisfying (2), one with a plus sign and one with a minus sign (see Exercise 14.2). Therefore (2) says that fE lies in either the plus space or the minus space. Taniyama first suggested the existence of a result of this form in the 1950s. Eichler and Shimura then showed that if f is a cusp form (more precisely, a newform) of weight 2 (and level N for some N ) such that all the coefficients an are integers, then there is an elliptic curve E with fE = f . This is the converse of the theorem, but it gave the first real evidence that Taniyama’s suggestion was reasonable. In 1967, Weil made precise what the integer N must be for any given elliptic curve. Since there are only finitely many modular forms f of a given level N that could arise from elliptic curves, this meant that the conjecture (Taniyama’s suggestion evolved into a conjecture) could be investigated numerically. If the conjecture had been false for some explicit E, it could have been disproved by computing enough coefficients to see that fE was not on the finite list of possibilities. Moreover, Weil showed that if functions like LE (s) (namely LE and its twists) have analytic continuations and functional equations such as the one given in Corollary 14.5 below, then fE must be a modular form. Since most people believe that naturally defined L-functions should have analytic continuations and functional equations, this gave the conjecture more credence. Around 1990, Wiles proved that there are infinitely many distinct E (that is, with distinct j-invariants) satisfying the theorem. In 1994, with the help of Taylor, he showed that the theorem is true for all E such that there is no additive reduction at any prime (but multiplicative reduction is allowed). Such curves are called semistable. Finally, in 2001, Breuil, Conrad, Diamond, and Taylor [20] proved the full theorem. Let’s assume Theorem 14.4 and show that LE (s) analytically continues and satisfies a functional equation. Recall that the gamma function is defined for (s) > 0 by  ∞

Γ(s) = 0

ts−1 e−t dt.

Integration by parts yields the relation sΓ(s) = Γ(s + 1), which yields the meromorphic continuation of Γ(s) to the complex plane, with poles at the

438

CHAPTER 14 ZETA FUNCTIONS

nonpositive integers. It also yields the relation Γ(n) = (n − 1)! for positive integers n. COROLLARY 14.5 Let E and N be as in Theorem 14.4. Then √ √ ( N /2π)s Γ(s)LE (s) = ∓( N /2π)2−s Γ(2 − s)LE (2 − s) for all s ∈ C (and both sides continue analytically to all of C). The sign here is the opposite of the sign in (2) of Theorem 14.4. PROOF

Using the definition of the gamma function, we have

 ∞  √ √ ( N /2π)s Γ(s)LE (s) = an ( N /2πn)s =

n=1 ∞ 

 an

n=1  ∞

= 0

 =

0

∞

0

∞

0

ts−1 e−t dt

√ du (u N )s e−2πnu u

(let t = 2πnu)

√ du (u N )s fE (iu) u

√ 1/ N

 ∞ √ s √ s du du + (u N ) fE (iu) (u N ) fE (iu) . √ u u 1/ N

(The interchange of summation and integration to obtain the third equality is justified since the sum for f (iu) converges very quickly near ∞.) Let  be the sign in part (2) of Theorem 14.4. Then fE (i/(N u)) = (iu)2 fE (iu) = −u2 fE (iu). Therefore, let u = 1/N v to obtain  0

√ 1/ N

 ∞ √ √ 2−s du dv = − (u N )s fE (iu) fE (iv) . √ (v N ) u v 1/ N

This implies that √ ( N /2π)s Γ(s)LE (s) =  ∞  ∞ √ s √ 2−s du dv −  (u N ) f (iu) (v N ) fE (iv) . E √ √ u v 1/ N 1/ N Since f (iu) → 0 exponentially as u → ∞, it follows easily that both integrals converge and define analytic functions of s. Under s → 2 − s, the right side, hence the left side, is multiplied by −. This is precisely what the functional equation claims.

SECTION 14.2 ELLIPTIC CURVES OVER Q

439

Example 14.2 Let E be the elliptic curve y 2 +y = x3 −x2 considered in the previous example. If we compute the number Np of points on E mod p for various primes, we obtain, with ap = p + 1 − Np , a2 = −2,

a3 = −1,

a5 = 1,

a7 = −2,

a13 = 4, . . .

(except for p = 2, 3, 5, the numbers ap can be calculated using any of the equations in the previous example). The value a11 = 1 is specified by the formulas for bad primes. We then calculate the coefficients for composite indices. For example, a4 = a22 − 2 = 2

a6 = a2 a3 = 2, (see (14.2) and (14.1)). Therefore,

fE (τ ) = q − 2q 2 − q 3 + 2q 4 + q 5 + 2q 6 − 2q 7 + · · · . It can be shown that f (τ ) = q

∞ 

(1 − q j )2 (1 − q 11j )2

j=1

is a cusp form of weight 2 and level N = 11. In fact, it is the only such form, up to scalar multiples. The product for f can be expanded into an infinite series f (τ ) = q − 2q 2 − q 3 + 2q 4 + q 5 + 2q 6 − 2q 7 + · · · . It can be shown that f = fE (see [61]). The L-series for E satisfies the functional equation √ √ ( 11/2π)s Γ(s)LE (s) = +( 11/2π)2−s Γ(2 − s)LE (2 − s).

In the early 1960s, Birch and Swinnerton-Dyer performed computer experiments to try to understand the relation between the number of points on an elliptic curve mod p as p ranges through the primes and the number of rational points on the curve. Ignoring the fact that the product for LE (s) doesn’t converge at s = 1, let’s substitute s = 1 into the product (we’ll ignore the finitely many bad primes): 

1 − ap p

p

−1

+p

−1 −1

=

  p − ap + 1 −1 p

p

=

 p . Np p

440

CHAPTER 14 ZETA FUNCTIONS

If E has a lot of points mod p for many p, then many factors in the product are small, so we expect that LE (1) might be small. In fact, the data that Birch and Swinnerton-Dyer obtained led them to make the following conjecture. CONJECTURE 14.6 (Conjecture of Birch and Swinnerton-Dyer, Weak Form) Let E be an elliptic curve defined over Q. The order of vanishing of LE (s) at s = 1 is the rank r of E(Q). In other words, if E(Q)  torsion ⊕ Zr , then LE (s) = (s − 1)r g(s), with g(1) = 0, ∞. One consequence of the conjecture is that E(Q) is infinite if and only if LE (1) = 0. This statement remains unproved, although there has been some progress. In 1977, Coates and Wiles showed that if E has complex multiplication and has a point of infinite order, then LE (1) = 0. The results of Gross and Zagier on Heegner points (1983) imply that if E is an elliptic curve over Q such that LE (s) vanishes to order exactly 1 at s = 1, then there is a point of infinite order. However, if LE (s) vanishes to order higher than 1, nothing has been proved, even though there is conjecturally an abundance of points of infinite order. This is a common situation in mathematics. It seems that a solution is often easier to find when it is essentially unique than when there are many choices. Soon, Conjecture 14.6 was refined to give not only the order of vanishing, but also the leading coefficient of the expansion at s = 1. To state the conjecture, we need to introduce some notation. If P1 , . . . , Pr form a basis for the free part of E(Q), then E(Q) = E(Q)torsion ⊕ Z P1 ⊕ · · · ⊕ Z Pr . Recall the height pairing P, Q defined in Section 8.5. We can form the r × r matrix Pi , Pj  and compute its determinant to obtain what is known as the elliptic regulator for E. If r = 0, define this determinant to equal 1. Let ω1 , ω2 be a basis of a lattice in C that corresponds to E by Theorem 9.21. We may assume that ω2 ∈ R, by Exercise 9.5. If E[2] ⊂ E(R), let Ω = 2ω2 . Otherwise, let Ω = ω2 . For each prime p, there are integers cp that we won’t define, except to say that if p is a prime of good reduction then cp = 1. is the A formula for computing them is given [117]. Finally, recall that (conjecturally finite) Shafarevich-Tate group of E. CONJECTURE 14.7 (Conjecture of Birch and Swinnerton-Dyer) Let E be an elliptic curve defined over Q. Let r be the rank of E(Q). Then LE (s) = (s − 1)r

Ω



 (# c p p

E ) detPi , Pj 

#E(Q)2torsion

+ (s − 1)r+1 (br+1 + · · · ).

SECTION 14.2 ELLIPTIC CURVES OVER Q

441

This important conjecture combines most of the important information about E into one equation. When it was first made, there were no examples. As Tate pointed out in 1974 ([116, p. 198]), This remarkable conjecture relates the behavior of a function L at a point where it is not at present known to be defined to the order which is not known to be finite! of a group In 1986, Rubin gave the first examples of curves with finite , and was able to in several examples. Since they were complex compute the exact order of multiplication curves, LE (1) could be computed explicitly by known formulas (these had been used by Birch and Swinnerton-Dyer in their calculations), and this allowed the conjecture to be verified for these curves. Soon thereafter, Kolyvagin obtained similar results for elliptic curves satisfying Theorem 14.4 (which was not yet proved) such that LE (s) vanishes to order at most 1 at s = 1. Therefore, the conjecture is mostly proved (up to small rational factors) when LE (s) vanishes to order at most one at s = 1. In general, nothing is known when LE (s) vanishes to higher order. In fact, it is not ruled out (but most people believe it’s very unlikely) that LE (s) could vanish at s = 1 to very high order even though E(Q) has rank 0 or 1. In 2000, the Clay Mathematics Institute listed the Conjecture of Birch and Swinnerton-Dyer as one of its million dollar problems. There are surely easier (but certainly less satisfying) ways to earn a million dollars. For those who know some algebraic number theory, the conjecture is very similar to the analytic class number formula. For an imaginary quadratic field K, the zeta function of K satisfies 2πh ζK (s) = (s − 1)−1  + · · · , w |d| where h is the class number of K, d is the discriminant of K, and w is the number of roots of unity in K. Conjecture 14.7 for a curve of rank r = 0 predicts that   # E Ω c p p + ··· . LE (s) = 2 #E(Q)torsion The group E can be regarded as the analogue of the ideal class group, the number Ω p cp plays the role of 2π/ |d|, and #E(Q)torsion is the analogue of w. Except for the square on the order of the torsion group, the two formulas for the leading coefficients have very similar forms. Now let’s look at real quadratic fields K. The class number formula says that 4h log(η) √ + ··· , ζK (s) = (s − 1)−1 2 d where h is the class number of K, d is the discriminant, and η is the fundamental unit. The Conjecture of Birch and Swinnerton-Dyer for a curve of

442

CHAPTER 14 ZETA FUNCTIONS

rank r = 1, with generator P , predicts that 
 ˆ Ω E ) h(P ) p cp (# LE (s) = (s − 1) + ··· . #E(Q)2torsion √ In this case, Ω is the analogue of 4/ d and #E(Q)torsion plays the role of 2, ˆ ) gives the size of which is the number of roots of unity in K. The height h(P P . Similarly, log(η) gives the size of η. In general, we can write down a dictionary between elliptic curves and number fields: elliptic curves ←→ number fields points ←→ units torsion points ←→ roots of unity Shafarevich-Tate group ←→ ideal class group This is not an exact dictionary, but it helps to interpret results in one area in terms of the other. For example, the Dirichlet unit theorem in algebraic number theory, which describes the group of units in a number field, is the analogue of the Mordell-Weil theorem, which describes the group of rational points on an elliptic curve. The finiteness of the ideal class group in algebraic number theory is the analogue of the conjectured finiteness of the ShafarevichTate group.

Exercises 14.1 Let P1 be one-dimensional projective space. (a) Show that the number of points in P1 (Fq ) is q + 1. (b) Let Nn = #P1 (Fqn ). Define the Z-function for P1 by  ∞  Nn n T ZP1 (T ) = exp . n n=1 Show that ZP1 (T ) = 

1 . (1 − T )(1 − qT )

 ab 14.2 Let M = ∈ GL2 (R) with det(M ) > 0. Define an action of M cd on functions on H by (f |M )(z) = det(M )(cz + d)−2 f (M z), where M z =

az+b cz+d .

EXERCISES

443

(a) Show that (f |M1 )|M2 = f |(M1 M2 ).   0 −1 (b) Let W = . Show that W Γ0 (N ) W −1 = Γ0 (N ). N 0 (c) Suppose that f is a function with f |M = f for all M ∈ Γ0 (N ). Let g(z) = (f |W )(z). Show that g|M = g for all M ∈ Γ0 (N ). (Hint: Combine parts (a) and (b).) (d) Suppose that f is a function with f |M = f for all M ∈ Γ0 (N ). Let f + = 12 (f + f |W ) and f − = 12 (f − f |W ). Show that f + |W = f + and f − |W = −f − . This gives a decomposition f = f + + f − in which f is written as a sum of two eigenfunctions for W .  |bn | converges. 14.3 It is well known that a product (1 + bn ) converges if Use this fact, plus Hasse’s theorem, to show that the Euler product defining LE (s) converges for (s) > 3/2.

Chapter 15 Fermat’s Last Theorem

15.1 Overview Around 1637, Fermat wrote in the margin of his copy of Diophantus’s work that, when n ≥ 3, an + bn = cn ,

abc = 0

(15.1)

has no solution in integers a, b, c. This has become known as Fermat’s Last Theorem. Note that it suffices to consider only the cases where n = 4 and where n =
is an odd prime (since any n ≥ 3 has either 4 or such an
as a factor). The case n = 4 was proved by Fermat using his method of infinite descent (see Section 8.6). At least one unsuccessful attempt to prove the case n = 3 appears in Arab manuscripts in the 900s (see [34]). This case was settled by Euler (and possibly by Fermat). The first general result was due to Kummer in the 1840s: Define the Bernoulli numbers Bn by the power series ∞
tn t = Bn . t e − 1 n=1 n!

For example, B2 =

1 , 6

B4 = −

1 , 30

...,

B12 = −

691 . 2730

Let
be an odd prime. If
does not divide the numerator of any of the Bernoulli numbers B2 , B4 , . . . , B
−3 then (15.1) has no solutions for n =
. This criterion allowed Kummer to prove Fermat’s Last Theorem for all prime exponents less than 100, except for
= 37, 59, 67. For example, 37 divides the numerator of the 32nd Bernoulli number, so this criterion does not apply. Using more refined criteria, based on the knowledge of which Bernoulli numbers are divisible by these exceptional
, Kummer was able to prove Fermat’s Last Theorem for the three remaining

445

446

CHAPTER 15 FERMAT’S LAST THEOREM

exponents. Refinements of Kummer’s ideas by Vandiver and others, plus the advent of computers, yielded extensions of Kummer’s results to many more exponents. For example, in 1992, Buhler, Crandall, Ernvall, and Mets¨ ankyl¨ a proved Fermat’s Last Theorem for all exponents less than 4 × 106 . How could one check so many cases without seeing a pattern that would lead to a full proof? The reason is that these methods were a prime-by-prime check. For each prime
, the Bernoulli numbers were computed mod
. For around 61% of the primes, none of these Bernoulli numbers was divisible by
, so Kummer’s initial criterion yielded the result. For the remaining 39% of the primes, more refined criteria were used, based on the knowledge of which Bernoulli numbers were divisible by
. For
up to 4×106 , these criteria sufficed to prove the theorem. But it was widely suspected that eventually there would be exceptions to these criteria, and hence more refinements would be needed. The underlying problem with this approach was that it did not include any conceptual reason for why Fermat’s Last Theorem should be true. In particular, there was no reason why there couldn’t be a few random exceptions. In 1986, the situation changed. Suppose that a
+ b
= c
,

abc = 0.

(15.2)

By removing common factors, we may assume that a, b, c are integers with gcd(a, b, c) = 1, and by rearranging a, b, c and changing signs if necessary, we may assume that b≡0

(mod 2),

a ≡ −1 (mod 4).

(15.3)

Frey suggested that the elliptic curve EFrey :

y 2 = x(x − a
)(x + b
)

(this curve had also been considered by Hellegouarch) has such restrictive properties that it cannot exist, and therefore there cannot be any solutions to (15.2). As we’ll outline below, subsequent work of Ribet and Wiles showed that this is the case. When
≥ 5, the elliptic curve EFrey has good or multiplicative reduction (see Exercise 2.24) at all primes (in other words, there is no additive reduction). Such an elliptic curve is called semistable. The discriminant of the cubic is the square of the product of the differences of the roots, namely 

2 = (abc)2
a
(−b
)(a
+ b
)

(we have used (15.2)). Because of technicalities involving the prime 2 (related to the restrictions in (15.3)), the discriminant needs to be modified at 2 to yield what is known as the minimal discriminant ∆ = 2−8 (abc)2


SECTION 15.1 OVERVIEW

447

of EFrey . A conjecture of Brumer and Kramer predicts that a semistable elliptic curve over Q whose minimal discriminant is an
th power will have a point of order
. Mazur’s Theorem (8.11) says that an elliptic curve over Q cannot have a point of order
when
≥ 11. Moreover, if the 2-torsion is rational, as is the case with EFrey , then there are no points of order
when
≥ 5. Since ∆ is almost an
th power, we expect EFrey to act similarly to a curve that has a point of order
. Such curves cannot exist when
≥ 5, so EFrey should act like a curve that cannot exist. Therefore, we expect that EFrey does not exist. The problem is to make these ideas precise. Recall (see Chapter 14) that the L-series of an elliptic curve E over Q is defined as follows. For each prime p of good reduction, let ap = p + 1 − #E(Fp ). Then LE (s) = (∗)



(1 − ap p−s + p1−2s )−1 =

p

∞
an , ns n=1

where (*) represents the factors for the bad primes (see Section 14.2) and the product is over the good primes. Suppose E(Q) contains a point of order
. By Theorem 8.9, E(Fp ) contains a point of order
for all primes p =
such that E has good reduction at p. Therefore,
|#E(Fp ), so ap ≡ p + 1

(mod
)

(15.4)

for all such p. This is an example of how the arithmetic of E is related to properties of the coefficients ap . We hope to obtain information by studying these coefficients. In particular, we expect a congruence similar to (15.4) to hold for EFrey . In fact, a close analysis (requiring more detail than we give in Section 13.3) of Ribet’s proof shows that EFrey is trying to satisfy this congruence. However, the irreducibility of a certain Galois representation is preventing it, and this leads to the contradiction that proves the theorem. The problem with this approach is that the numbers ap at first seem to be fairly independent of each other as p varies. However, the Conjecture of Taniyama-Shimura-Weil (now Theorem 14.4) claims that, for an elliptic curve E over Q, ∞
an q n fE (τ ) = n=1

(where q = e2πiτ ) is a modular form for Γ0 (N ) for some N (see Section 14.2). In this case, we say that E is modular. This is a fairly rigid condition and can be interpreted as saying that the numbers ap have some coherence as p varies. For example, it is likely that if we change one coefficient ap , then the modularity will be lost. Therefore, modularity is a tool for keeping the

448

CHAPTER 15 FERMAT’S LAST THEOREM

numbers ap under control. Frey predicted the following, which Ribet proved in 1986: THEOREM 15.1 EFrey cannot be modular. Therefore, the conjecture of Taniyama-ShimuraWeil implies Fermat’s Last Theorem. This result finally gave a theoretical reason for believing Fermat’s Last Theorem. Then in 1994, Wiles proved THEOREM 15.2 All semistable elliptic curves over Q are modular. This result was subsequently extended to include all elliptic curves over Q. See Theorem 14.4. Since the Frey curve is semistable, the theorems of Wiles and Ribet combine to show that EFrey cannot exist, hence THEOREM 15.3 Fermat’s Last Theorem is true. In the following three sections, we sketch some of the ideas that go into the proofs of Ribet’s and Wiles’s theorems.

15.2 Galois Representations Let E be an elliptic curve over Q and let m be an integer. From Theorem 3.2, we know that E[m]  Zm ⊕ Zm . Let {β1 , β2 } be a basis of E[m] and let σ ∈ G, where G = Gal(Q/Q). Since σβi ∈ E[m], we can write σβ1 = aβ1 + cβ2 ,

σβ2 = bβ1 + dβ2

with a, b, c, d ∈ Zm . We thus obtain a homomorphism ρm : G −→ GL2 (Zm )   ab σ −→ . cd

SECTION 15.2 GALOIS REPRESENTATIONS

449

If m =
is a prime, we call ρ
the mod
Galois representation attached to E. We can also take m =
n for n = 1, 2, 3, . . . . By choosing an appropriate sequence of bases, we obtain representations ρ
n such that ρ
n ≡ ρ
n+1

(mod
n )

for all n. These may be combined to obtain ρ
∞ : G −→ GL2 (O
), where O
denotes any ring containing the
-adic integers (see Appendix A). This is called the
-adic Galois representation attached to E. An advantage of working with ρ
∞ is that the
-adic integers have characteristic 0, so instead of congruences mod powers of
, we can work with equalities. Notation: Throughout this chapter, we will need rings that are finite extensions of the
-adic integers. We’ll denote such rings by O
. For many purposes, we can take O
to equal the
-adic integers, but sometimes we need slightly larger rings. Since we do not want to discuss the technical issues that arise in this regard, we simply use O
to denote a varying ring that is large enough for whatever is required. The reader will not lose much by pretending that O
is always the ring of
-adic integers. Suppose r is a prime of good reduction for E. There exists an element Frobr ∈ G such that the action of Frobr on E(Q) yields the action of the Frobenius φr on E(Fr ) when E is reduced mod r (the element Frobr is not unique, but this will not affect us). In particular, when
= r, the matrices describing the actions of Frobr and φr on the
-power torsion are the same (use a basis and its reduction to compute the matrices). Let ar = r + 1 − #E(Fr ). From Proposition 4.11, we obtain that Trace(ρ
n (Frobr )) ≡ ar

(mod
n ),

det(ρ
n (Frobr )) ≡ r

(mod
n ),

and therefore Trace(ρ
∞ (Frobr )) = ar ,

det(ρ
∞ (Frobr )) = r.

Recall that the numbers ar are used to produce the modular form fE attached to E (see Section 14.2). Suppose now that ρ : G −→ GL2 (O
) is a representation of G. Under certain technical conditions (namely, ρ is unramified at all but finitely many primes; see the end of this section), we may choose elements Frobr (for the unramified primes) and define ar = Trace(ρ(Frobr )).

450

CHAPTER 15 FERMAT’S LAST THEOREM

This allows us to define a formal series g=

∞


an q n .

n=1

We refer to g as the potential modular form attached to ρ. Of course, some conditions must be imposed on the ar in order for this to represent a complex function (for example, the numbers an ∈ O
must be identified with complex numbers), but we will not discuss this general problem here. Let N be a positive integer. Recall that a modular form f of weight 2 and level N is a function analytic in the upper half plane satisfying   aτ + b (15.5) f = (cτ + d)2 f (τ ) cτ + d for all



ab cd

 ∈ Γ0 (N )

(where Γ0 (N ) is the group of integral matrices of determinant 1 such that c ≡ 0 (mod N )). There are also technical conditions that we won’t discuss for the behavior of f at the cusps. The cusp forms of weight 2 and level N , which we’ll denote by S(N ), are those modular forms that take the value 0 at all the cusps. S(N ) is a finite dimensional vector space over C. We represent cusp forms by their Fourier expansions: f (τ ) =

∞


bn q n ,

n=1

where q = e2πiτ . If M |N , then Γ0 (N ) ⊆ Γ0 (M ), so a modular form of level M can be regarded as a modular form of level N . More generally, if d|(N/M ) and f (τ ) is a cusp form of level M , then it can be shown that f (dτ ) is a cusp form of level N . The subspace of S(N ) generated by such f , where M ranges through proper divisors of N and d ranges through divisors of N/M , is called the subspace of oldforms. There is a naturally defined inner product on S(N ), called the Petersson inner product. The space of newforms of level N is the perpendicular complement of the space of oldforms. Intuitively, the newforms are those that do not come from levels lower than N . We now need to introduce the Hecke operators. Let r be a prime. Define ∞  ⎧ ∞ b q n + ∞ rb q rn , if r
N ⎨ n=1 rn n
n=1 bn q n = (15.6) Tr ⎩ ∞ n n=1 b q , if r | N. n=1 rn It can be shown that Tr maps S(N ) into S(N ) and that the Tr ’s commute with each other. Define the Hecke algebra T = TN ⊆ End(S(N ))

SECTION 15.2 GALOIS REPRESENTATIONS

451

to be the image of Z[T2 , T3 , T5 , . . . ] in the endomorphism ring of S(N ) (the endomorphism ring of S(N ) is the ring of linear transformations from the vector space S(N ) to itself). A normalized eigenform of level N is a newform f=

∞


bn q n ∈ S(N )

n=1

of level N with b1 = 1 and such that Tr (f ) = br f

for all r.

It can be shown that the space of newforms in S(N ) has a basis of normalized eigenforms. Henceforth, essentially all of the modular forms that we encounter will be normalized eigenforms of level N . Often, we shall refer to them simply as modular forms. Let f be a normalized eigenform and suppose the coefficients bn of f are rational integers. In this case, Eichler and Shimura showed that f determines an elliptic curve Ef over Q, and Ef has the property that br = ar for all r (where ar = r + 1 − #Ef (Fr ) for the primes of good reduction). In particular, the potential modular form fEf for E is the modular form f . Moreover, Ef has good reduction at the primes not dividing N . This result is, in a sense, a converse of the conjecture of Taniyama-Shimura-Weil. The conjecture can be restated as claiming that every elliptic curve E over Q arises from this construction. Actually, we have to modify this statement a little. Two elliptic curves E1 and E2 are called isogenous over Q if there is a nonconstant homomorphism E1 (Q) → E2 (Q) that is described by rational functions over Q (see Chapter 12). It can be shown that, in this case, fE1 = fE2 . Conversely, Faltings showed that if fE1 = fE2 then E1 and E2 are isogenous. Since only one of E1 , E2 can be the curve Ef , we must ask whether an elliptic curve E over Q is isogenous to one produced by the result of Eichler and Shimura. Theorem 14.4 says that the answer is yes. If we have an elliptic curve E, how can we predict what N should be? The smallest possible N is called the conductor of E. For E = Ef , the primes dividing the conductor N are exactly the primes of bad reduction of Ef (these are also the primes of bad reduction of any curve isogenous to Ef over Q). Moreover, p|N and p2
N if and only if Ef has multiplicative reduction at p. Therefore, if Ef is semistable, then  N= p, (15.7) p|∆

namely, the product of the primes dividing the minimal discriminant ∆. We see that N is squarefree if and only if Ef is semistable. Therefore, if E is an arbitrary modular semistable elliptic curve over Q, then N is given by (15.7).

452

CHAPTER 15 FERMAT’S LAST THEOREM

Combining the result of Eichler and Shimura with the representations Galois discussed above, we obtain the following. If f = bn q n is a normalized newform with rational integer coefficients, then there is a Galois representation ρf : G −→ GL2 (O
) such that Trace(ρf (Frobr )) = br ,

det(ρf (Frobr )) = r

(15.8)

for all r

N . More generally, Eichler and Shimura showed that if f = bn q n is any normalized newform (with no assumptions on its coefficients), then there is a Galois representation ρf : G → GL2 (O
) satisfying (15.8). Returning to the situation where the coefficients bn are in Z, we let M be the kernel of the ring homomorphism T −→ F
Tr −→ br (mod
). Since the homomorphism is surjective (because 1 maps to 1) and F
is a field, M is a maximal ideal of T. Also, T/M = F
. Since Tr − br ∈ M, the mod
version of (15.8) says that Trace(ρf (Frobr )) ≡ Tr

mod M,

det(ρf (Frobr )) ≡ r

mod M

for all r

N . This has been greatly generalized by Deligne and Serre: THEOREM 15.4 Let M be a maximal ideal of T and let
be the characteristic of T/M. There exists a semisimple representation ρM : G −→ GL2 (T/M) such that Trace(ρM (Frobr )) ≡ Tr

mod M,

det(ρM (Frobr )) ≡ r

mod M

for all primes r

N . The semisimplicity of ρM means that either ρM is irreducible or it is the sum of two one-dimensional representations. In general, let A be either O
or a finite field. If ρ : G −→ GL2 (A)

SECTION 15.2 GALOIS REPRESENTATIONS

453

is a semisimple representation, then we say that ρ is modular of level N if there exists a homomorphism π : T −→ A such that Trace(ρ(Frobr )) = π(Tr ),

det(ρ(Frobr )) = π(r)

for all r

N . This says that ρ is equivalent to a representation coming from one of the above constructions. When A = T/M, the homomorphism π is the map T → T/M. When f = bn q n is a normalized eigenform and A = O
, recall that Tr (f ) = br f for all r. This gives a homomorphism π : T → O
(it is possible to regard the coefficients br as elements of a sufficiently large O
). The way to obtain maximal ideals M of T is to use a normalized eigenform to get a map T → O
, then map O
to a finite field. The kernel of the map from T to the finite field is a maximal ideal M. When A is a finite field, the level N of the representation ρ is not unique. In fact, a key result of Ribet (see Section 15.3) analyzes how the level can be changed. Also, in the definition of modularity in this case, we should allow modular forms of weight k ≥ 2 (this means that the factor (cz + d)2 in (15.5) is replaced by (cz + d)k ). However, this more general situation can be ignored for the present purposes. If ρ is a modular representation of some level, and c ∈ G is complex conjugation (regard Q as a subfield of C) then it can be shown that det(ρ(c)) = −1. This says that ρ is an odd representation. A conjecture of Serre [105], which was a motivating force for much of the work described in this chapter, predicts that (under certain mild hypotheses) odd representations in the finite field case are modular (where we need to allow modular forms of weight k ≥ 2 in the definition of modularity). Serre also predicts the level and the weight of a modular form that yields the representation. Finally, there is a type of representation, called finite, that plays an important role in Ribet’s proof. Let p be a prime. We can regard the Galois group for the p-adics as a subgroup of the Galois group for Q: Gp = Gal(Qp /Qp ) ⊂ G = Gal(Q/Q). There is a natural map from Gp to Gal(Fp /Fp ). The kernel is denoted Ip and is called the inertia subgroup of Gp : Gp /Ip  Gal(Fp /Fp ).

(15.9)

A representation ρ : G → GL2 (F
) is said to be unramified at p if ρ(Ip ) = 1, namely, Ip is contained in the kernel of ρ. If p =
and ρ is unramified at p, then ρ is said to be finite at p.

454

CHAPTER 15 FERMAT’S LAST THEOREM

If p =
, the definition of finite is much more technical (it involves finite flat group schemes) and we omit it. However, for the representation ρ
coming from an elliptic curve, there is the following: PROPOSITION 15.5 Let E be an elliptic curve defined over Q and let ∆ be the minimal discriminant of E. Let
and p be primes (the case p =
is allowed) and let ρ
be the representation of G on E[
]. Then ρ
is finite at p if and only if vp (∆) ≡ 0 (mod
), where vp denotes the p-adic valuation (see Appendix A). For a proof, see [105]. Consider the Frey curve. The minimal discriminant is ∆ = 2−8 (abc)2
. Therefore, vp (∆) ≡ 0 (mod
) for all p = 2, so ρ
is finite at all odd primes. Moreover, ρ
is not finite at 2.

15.3 Sketch of Ribet’s Proof The key theorem that Ribet proved is the following. THEOREM 15.6 Let
≥ 3 and let ρ : G → GL2 (F
) be an irreducible representation. Assume that ρ is modular of squarefree level N and that there exists a prime q|N , q =
, at which ρ is not finite. Suppose p|N is a prime at which ρ is finite. Then ρ is modular of level N/p. In other words, if ρ comes from a modular form of level N , then, under suitable hypotheses, it also comes from a modular form of level N/p. COROLLARY 15.7 EFrey cannot be modular. PROOF Since there are no solutions to the Fermat equation, and hence no Frey curves, when
= 3, we may assume
≥ 5. If EFrey is modular, then the associated representation ρ
is modular of some level N . Since EFrey is

SECTION 15.3 SKETCH OF RIBET’S PROOF

455

semistable, (15.7) says that N=



p.

p|abc

It can be shown that ρ
is irreducible when
≥ 5 (see [105], where it is obtained as a corollary of Mazur’s theorem (Theorem 8.11)). Let q = 2 in Ribet’s theorem. As we showed at the end of Section 13.2, ρ
is not finite at 2 and is finite at all other primes. Therefore, Ribet’s theorem allows us to remove the odd primes from N one at a time. We eventually find that ρ
is modular of level 2. This means that there is a normalized cusp form of weight 2 for Γ0 (2) such that ρ
is the associated mod
representation. But there are no nonzero cusp forms of weight 2 for Γ0 (2), so we have a contradiction. Therefore, EFrey cannot be modular. COROLLARY 15.8 The Taniyama-Shimura-Weil conjecture (for semistable elliptic curves) implies Fermat’s Last Theorem. PROOF We may restrict to prime exponents
≥ 5. If there is a nontrivial solution to the Fermat equation for
, then the Frey curve exists. However, Corollary 15.7 and the Taniyama-Shimura-Weil conjecture imply that the Frey curve cannot exist. Therefore, there are no nontrivial solutions to the Fermat equation. We now give a brief sketch of the proof of Ribet’s theorem. The proof uses the full power of Grothendieck’s algebraic geometry and is not elementary. Therefore, we give only a sampling of some of the ideas that go into the proof. For more details, see [90], [89], [85], [29]. We assume that ρ is as in Theorem 15.6 and that N is chosen so that 1. ρ is modular of squarefree level N , 2. both p and q divide N , 3. ρ is finite at p but is not finite at q. The goal is to show that p can be removed from N . The main ingredient of the proof is a relation between Jacobians of modular curves and Shimura curves. In the following, we describe modular curves and Shimura curves and give a brief indication of how they occur in Ribet’s proof.

456

CHAPTER 15 FERMAT’S LAST THEOREM

Modular curves Recall that SL2 (Z) acts on the upper half plane H by linear fractional transformations:   aτ + b ab . τ= cd cτ + d The fundamental domain F for this action is described in Section 9.3. The subgroup Γ0 (N ) (defined by the condition that c ≡ 0 (mod N )) also acts on H. The modular curve X0 (N ) is defined over C by taking the upper half plane modulo the action of Γ0 (N ), and then adding finitely many points, called cusps, to make X0 (N ) compact. We obtain a fundamental domain D for Γ0 (N ) by writing SL2 (Z) = ∪i γi Γ0 (N ) for some coset representatives γi and letting D = ∪i γi−1 F. Certain edges of this fundamental domain are equivalent under the action of Γ0 (N ). When equivalent edges are identified, the fundamental domain gets bent around to form a surface. There is a hole in the surface corresponding to i∞, and there are also finitely many holes corresponding to points where the fundamental domain touches the real axis. These holes are filled in by points, called cusps, to obtain X0 (N ). It can be shown that X0 (N ) can be represented as an algebraic curve defined over Q. Figure 15.1 gives a fundamental domain for Γ0 (2). The three pieces are obtained as γi−1 F, where       10 0 −1 1 1 γ1 = , γ2 = , γ3 = . 01 1 0 −1 0 The modular curve X0 (N ) has another useful description, which works over arbitrary fields K with the characteristic of K not dividing N . Consider pairs (E, C), where E is an elliptic curve (defined over the algebraic closure K) and C is a cyclic subgroup of E(K) of order N . The set of such pairs is in oneto-one correspondence with the noncuspidal points of X0 (N )(K). Of course, it is not obvious that this collection of pairs can be given the structure of an algebraic curve in a natural way. This takes some work. Example 15.1 When K = C, we can see this one-to-one correspondence as follows. An elliptic curve can be represented as Eτ = C/(Zτ + Z), with τ ∈ H, the upper half plane. The set

 N −1 1 Cτ = 0, , . . . , N N

SECTION 15.3 SKETCH OF RIBET’S PROOF

457

Figure 15.1

A Fundamental Domain for Γ0 (2) is a cyclic subgroup of Eτ of order N . Let   ab γ= ∈ Γ0 (N ) cd and let γτ =

aτ + b . cτ + d

Since Zτ + Z = Z(aτ + b) + Z(cτ + d) = (cτ + d)(Zγτ + Z), there is an isomorphism fγ : C/(Zτ + Z) −→ C/(Zγτ + Z) given by fγ (z) = z/(cτ + d). This isomorphism between Eτ and Eγτ maps the point k/N to k ka c aτ + b = −k N (cτ + d) N N cτ + d ka mod Zγτ + Z ≡ N (we have used the fact that c ≡ 0 (mod N )). Therefore, the subgroup Cτ of Eτ is mapped to the corresponding subgroup Cγτ of Eγτ , so fγ maps the pair (Eτ , Cτ ) to the pair (Eγτ , Cγτ ). We conclude that if τ1 , τ2 ∈ H are equivalent under the action of Γ0 (N ), then the corresponding pairs (Eτj , Cτj ) are isomorphic. It is not hard to show that, conversely, if the pairs are isomorphic then the corresponding τj ’s are equivalent under Γ0 (N ). Moreover,

458

CHAPTER 15 FERMAT’S LAST THEOREM

every pair (E, C) of an elliptic curve over C and a cyclic subgroup C of order N is isomorphic to a pair (Eτ , Cτ ) for some τ ∈ H. Therefore, the set of isomorphism classes of these pairs is in one-to-one correspondence with the points of H mod the action of Γ0 (N ). These are the noncuspidal points of X0 (N ). Of course, over arbitrary fields, we cannot work with the upper half plane H, and it is much more difficult to show that the pairs (E, C) can be collected together as the points on a curve X0 (N ). However, when this is done, it yields a convenient way to work with the modular curve X0 (N ) and its reductions mod primes. For a nonsingular algebraic curve C over a field K, let J(C) be the divisors (over K) of degree 0 modulo divisors of functions. It is possible to represent J(C) as an algebraic variety, called the Jacobian of C. When C is an elliptic curve E, we showed (Corollary 11.4; see also the sequence (9.3)) that J(E) is a group isomorphic to E(K). When K = C, we thus obtained a torus. In general, if K = C and C is a curve of genus g, then J(C) is isomorphic to a higher dimensional torus, namely, Cg mod a lattice of rank 2g. The Jacobian of X0 (N ) is denoted J0 (N ). The Jacobian J0 (N ) satisfies various functorial properties. In particular, a nonconstant map φ : X0 (N ) → E induces a map φ∗ : E → J0 (N ) obtained by mapping a point P of E to the divisor on X0 (N ) formed by the sum of the inverse images of P minus the inverse images of ∞ ∈ E:

[Q] − [R]. φ∗ : P −→ φ(Q)=P

φ(R)=∞

Therefore, we can map E to a subgroup of J0 (N ) (this map might have a nontrivial, but finite, kernel). An equivalent formulation of the modularity of E is to say that there is a nonconstant map from X0 (N ) to E and therefore that E is isogenous to an elliptic curve contained in some J0 (N ). If p is a prime dividing N , there are two natural maps X0 (N ) → X0 (N/p). If (E, C) is a pair corresponding to a point in X0 (N ), then there is a unique subgroup C  ⊂ C of order N/p. So we have a map α : (E, C) −→ (E, C  ).

(15.10)

However, there is also a unique subgroup P ⊂ C of order p. It can be shown that E/P is an elliptic curve and therefore (E/P, C/P ) is a pair corresponding to a point on X0 (N/p). This gives a map β : (E, C) −→ (E/P, C/P ).

(15.11)

These two maps can be interpreted in terms of the complex model of X0 (N ). Since Γ0 (N ) ⊂ Γ0 (N/p), we can map H mod Γ0 (N ) to H mod Γ0 (N/p) by

SECTION 15.3 SKETCH OF RIBET’S PROOF

459

mapping the equivalence class of τ mod Γ0 (N ) to the equivalence class of τ mod Γ0 (N/p). This corresponds to the map α. The map β can be shown to correspond to the map τ → pτ . Note that these two maps represent the two methods of using modular forms for Γ0 (N/p) to produce oldforms for Γ0 (N ). The Hecke algebra T acts on J0 (N ). Let P be a point on X0 (N ). Recall that P corresponds to a pair (E, C), where E is an elliptic curve and C is a cyclic subgroup of order N . Let p be a prime. For each subgroup D of E of order p with D ⊆ C, we can form the pair (E/D, (C + D)/D). It can be shown that E/D is an elliptic curve and (C + D)/D is a cyclic subgroup of order N . Therefore, this pair represents a point on X0 (N ). Define Tp ([(E, C)]) =




[(E/D, (C + D)/D)] ∈ Div(X0 (N )),

D

where the sum is over those D of order p with D ⊆ C and where Div(X0 (N )) denotes the divisors of X0 (N ) (see Chapter 11). It is not hard to show that this corresponds to the formulas for Tp given in (15.6). Clearly Tp maps divisors of degree 0 to divisors of degree 0, and it can be shown that it maps principal divisors to principal divisors. Therefore, Tp gives a map from J0 (N ) to itself. This yields an action of T on J0 (N ), and these endomorphisms are defined over Q. Let α ∈ T and let J0 (N )[α] denote the kernel of α on J0 (N ). More generally, let I be an ideal of T. Define  J0 (N )[I] = J0 (N )[α]. α∈I

For example, when I = nT for an integer n, then J0 (N )[I] is just J0 (N )[n], the n-torsion on J0 (N ). Now let’s consider the representation ρ of Theorem 15.6. Since ρ is assumed to be modular, it corresponds to a maximal ideal M of T. Let F = T/M, which is a finite field. Then W = J0 (N )[M] has an action of F, which means that it is a vector space over F. Let
be the characteristic of F. Since
= 0 in F, it follows that W ⊆ J0 (N )[
], the
-torsion of J0 (N ). Since G acts on W , we see that W yields a representation ρ of G over F. It can be shown that ρ is equivalent to ρ, so we can regard the representation space for ρ as living inside the
-torsion of J0 (N ). This has great advantages. For example, if M |N then there are natural maps X0 (N ) → X0 (M ). These yield (just as for the map X0 (N ) → E above) maps J0 (M ) → J0 (N ). Showing that the level can be reduced from N to M is equivalent to showing that this representation space lives in these images of J0 (M ). Also, we are now working with a representation that lives inside a fairly concrete object, namely the
-torsion of an abelian variety, rather than a more abstract situation, so we have more control over ρ.

460

CHAPTER 15 FERMAT’S LAST THEOREM

Shimura curves We now need to introduce what are known as Shimura curves. Recall that in Section 10.2 we defined quaternion algebras as (noncommutative) rings of the form Q = Q + Qα + Qβ + Qαβ, where

α2 , β 2 ∈ Q,

βα = −αβ.

We omit the requirement from Section 10.2 that α2 < 0 and β 2 < 0 since we want to consider indefinite quaternion algebras as well. Let r be a prime (possibly ∞) and let Qr be the ring obtained by allowing r-adic coefficients in the definition of Q. As we mentioned in Section 10.2, there is a finite set of primes r, called the ramified primes, for which Qr has no zero divisors. On the other hand, when r is unramified, Qr is isomorphic to M2 (Qr ), the ring of 2 × 2 matrices with r-adic entries. Given two distinct primes p and q, there is a quaternion algebra B that is ramified exactly at p and q. In particular, B is unramified at ∞, so B∞ = M2 (R). Corresponding to the integer M = N/pq, there is an order O ⊂ B, called an Eichler order of level M (an order in B is a subring of B that has rank 4 as an additive abelian group; see Section 10.2). Regarding O as a subset of B∞ = M2 (R), define Γ∞ = O ∩ SL2 (R). Then Γ∞ acts on H by linear fractional transformations. The Shimura curve C is defined to be H modulo Γ∞ . There is another description of C, analogous to the one given above for X0 (N ). Let Omax be a maximal order in B. Consider pairs (A, B), where A is a two-dimensional abelian variety (these are algebraic varieties that, over C, can be described as C2 mod a rank 4 lattice) and B is a subgroup of A isomorphic to ZM ⊕ ZM . We restrict our attention to those pairs such that Omax is contained in the endomorphism ring of A and such that Omax maps B to B. When we are working over C, such pairs are in one-to-one correspondence with the points on C. In general, over arbitrary fields, such pairs correspond in a natural way to points on an algebraic curve, which we again denote C. Let J be the Jacobian of C. The description of C in terms of pairs (A, B) means that we can define an action of the Hecke operators on J, similarly to what we did for the modular curves. Let J[
] be the
-torsion of the Jacobian J of C. It can be shown that the representation ρ occurs in J[M], so there is a space V isomorphic to the

SECTION 15.4 SKETCH OF WILES’S PROOF

461

representation space W of ρ with V ⊆ J[M] ⊆ J[
]. We now have the representation ρ living in J0 (N )[
] and in J[
]. The representation ρ can be detected using the reduction of J0 (N ) mod q and also using the reduction of J mod p, and Ribet uses a calculation with quaternion algebras to establish a relationship between these two reductions. This relationship allows him to show that p can be removed from the level N . REMARK 15.9 A correspondence between modular forms for GL2 and modular forms for the multiplicative group of a quaternion algebra plays a major role in work of Jacquet-Langlands. This indicates a relation between J0 (N ) and J. In fact, there is a surjection from J0 (N ) to J. However, this map is not being used in the present case since such a map would relate the reduction of J0 (N ) mod q to the reduction of J mod q. Instead, Ribet works with the reduction of J0 (N ) mod q and the reduction of J mod p. This switch between p and q is a major step in the proof of Ribet’s theorem.

15.4 Sketch of Wiles’s Proof In this section, we outline the proof that all semistable elliptic curves over Q are modular. For more details, see [29], [32], [118], [133]. Let E be a semistable elliptic curve and let
an q n fE = n≥1

be the associated potential modular form. We want to prove that fE is a modular form (for some Γ0 (N )). Suppose we have two potential modular forms

cn q n , g= cn q n f= n≥1

n≥1

arising from Galois representations G → GL2 (Op ) (where Op is some ring containing the p-adic integers. We assume that all of the coefficients cn , cn are embedded in Op ). Let p˜ be the prime above p in Op . (If Op is the ring of p-adic integers, then p˜ = p.) If c
≡ c
(mod p˜) for almost all primes
(that is, we allow finitely many exceptions), then we write f ≡g

(mod p˜).

462

CHAPTER 15 FERMAT’S LAST THEOREM

This means that the Galois representations mod p˜ associated to f and g are equivalent. The following result of Langlands and Tunnell gives us a place to start. THEOREM 15.10 Let E be an elliptic curve defined over Q and let fE = n≥1 an q n be the associated potential modular form. There exists a modular form
g0 = bn q n n≥1

such that a
≡ b


(mod ˜3)

for almost all primes
(that is, with possibly finitely many exceptions), and where ˜ 3 denotes a prime of O3 . Recall that O3 denotes an unspecified ring containing the 3-adic integers. If O3 is sufficiently large, the coefficients b
, which are algebraic integers, can be regarded as lying in O3 . The reason that 3 is used is that the group GL2 (F3 ) has order 48, hence is solvable. The representation ρ3 of G on E[3] therefore has its image in a solvable group. The techniques of base change developed in the Langlands program apply to cyclic groups, hence to solvable groups, and these techniques are the key to proving the result. The groups GL2 (Fp ) for p ≥ 5 are not solvable, so the base change techniques do not apply. On the other hand, the representation ρ2 for the Galois action on E[2] is trivial for the Frey curves since the 2-torsion is rational for these curves. Therefore, it is not expected that ρ2 should yield any information. Note that the modular form g0 does not necessarily have rational coefficients. Therefore, g0 is not necessarily the modular form associated to an elliptic curve. Throughout Wiles’s proof, Galois representations associated to arbitrary modular forms are used. The result of Langlands and Tunnell leads us to consider the following. GENERAL PROBLEM Fix a prime p. Let g = n≥1 an q n be a potential modular form (associated to a 2-dimensional Galois representation). Suppose there is a modular form g0 = bn q n such that g ≡ g0 (mod ˜)p. Can we prove that g is a modular form? The work of Wiles shows that the answer to the general problem is often yes. Let A be the set of all potential modular forms g with g ≡ g0 (mod ˜)p (subject to certain restrictions). Let M ⊆ A be the set of modular g’s in A. We are assuming that g0 ∈ M . The basic idea is the following. Let TA be the

SECTION 15.4 SKETCH OF WILES’S PROOF

463

tangent space to A at g0 and let TM be the tangent space to M at g0 . The goal is to show that TA = TM . Wiles shows that the spaces A and M are nice enough that the equality of tangent spaces suffices to imply that A = M .

A TA

TM g0

M

Figure 15.2

Tangent Spaces

Example 15.2 Let E be given by y 2 + xy + y = x3 − x2 − 171x + 1904. This curve has multiplicative reduction at 17 and 37 and good reduction at all other primes. Therefore, E is semistable. The minimal discriminant of E is ∆ = −17 · 375 . Since E is semistable, the conductor of E is N = 17 · 37. Therefore, we expect that gE is a modular form for Γ0 (17 · 37). Counting points on E mod
for various
yields the following values for a
(we ignore the bad prime 17):
a
Therefore,

2 3 5 7 11 −1 0 3 −1 −5

13 17 −2 −

19 1

23 −6

gE = q − q 2 + 0 · q 3 − q 4 + 3q 5 + · · · .

There is a modular form
bn q n = q − q 2 + 0 · q 3 − q 4 − 2q 5 + · · · g0 =

464

CHAPTER 15 FERMAT’S LAST THEOREM

for Γ0 (17). The first few values of b
are as follows:
b


2 −1

3 5 0 −2

7 4

11 13 0 −2

17 19 − −4

23 4

It can be shown that a
≡ b
(mod 5) for all
= 17, 37 (we ignore these bad primes), so gE ≡ g0 (mod 5). Can we prove that gE is a modular form? Let A be the set of all potential modular forms g with g ≡ g0 (mod 5) and where the level N for g is allowed to contain only the primes 5, 17, 37 in its factorization. There is also a technical condition, which we omit, on the ring generated by the coefficients of g. The subspace M of true modular forms contains g0 . Here are pictures of A and M :

M:

A:

• g0

• g0

or

• gE • g0

• gE

Therefore, our intuitive picture given in Figure 15.2 is not quite accurate. In particular, the sets A and M are finite. However, by reinterpreting the geometric picture algebraically, we can still discuss tangent spaces. Since the sets A and M are finite, why not count the elements in both sets and compare? First of all, this seems to be hard to do. Secondly, the tangent spaces yield enough information. Consider the following situation. Suppose you arrive at a train station in a small town. There are no signs telling you which town it is, but you know it must be either I or II. You have the maps given in Figure 15.3, where the large dot in the center indicates the station.

I

Figure 15.3

Two Small Towns

II

SECTION 15.4 SKETCH OF WILES’S PROOF

465

By counting the streets emanating from the station, you can immediately determine which town you are in. The reason is that you have a base point. If you didn’t, then you might be on any of the vertices of I or II. You would not be able to count streets and identify the town. The configuration of streets at the station is the analogue of the tangent space at the base point. Of course, it is possible that two towns could have the same tangent spaces, but Wiles shows that this does not happen in his situation.

Tangent spaces We now want to translate the notion of a tangent space into a useful algebraic formulation. Let R[x, y] be the ring of polynomials in two variables and let f (x, y) ∈ R[x, y]. We can regard f as a function from the xy-plane to R. Restricting f to the parabola y = x2 − 6x, we obtain a function f : parabola −→ R. If g(x, y) ∈ R[x, y], then f and g give the same function on the parabola if and only if f − g is a multiple of y + 6x − x2 . For example, let f = x3 − y and g = 6x + xy + 5x2 . Then f − g = −(x + 1)(y + 6x − x2 ). If we choose a point (a, b) on the parabola, then b + 6a − a2 = 0, so f (a, b) = g(a, b) − (a + 1)(b + 6a − a2 ) = g(a, b). Therefore, there is a one-to-one correspondence polynomial functions on the parabola

←→

R[x, y]/(y + 6x − x2 ).

The ring on the right consists of congruence classes of polynomials, where we say that two polynomials are congruent if their difference is a multiple of y +6x−x2 . In this way, we have represented a geometric object, the parabola, by an algebraic object, the ring R[x, y]/(y + 6x − x2 ). Now let’s consider the tangent line y + 6x = 0 at (0, 0). It is obtained by taking the degree 1 terms in y + 6x − x2 . We can represent it by the set {ax + by | a, b ∈ R} mod (y + 6x), where we are taking all linear functions and regarding two of them as congruent if they differ by a multiple of y + 6x. Of course, we could have represented the tangent line by the ring R[x, y]/(y + 6x), but, since we already know that the tangent line is defined by a linear equation, we do not lose any information by replacing R[x, y] by the linear polynomials ax + by.

466

CHAPTER 15 FERMAT’S LAST THEOREM

Now consider the surface y − x2 + xz + 6x + z = 0. This surface contains the parabola y = x2 − 6x, z = 0. The inclusion of the parabola in the surface corresponds to a surjective ring homomorphism R[x, y, z]/(y − x2 + xz + 6x + z) f (x, y, z)

−→

R[x, y]/(y + 6x − x2 )

−→

f (x, y, 0).

We also have a surjective map on the algebraic objects representing the tangent spaces {ax + by + cz} mod (y + 6x + z)

−→

{ax + by} mod (y + 6x)

corresponding to the inclusion of the tangent line to the parabola in the tangent plane for the surface at (0, 0, 0). In this way, we can study relations between geometric objects by looking at the corresponding algebraic objects. Wiles works with rings such as Op [[x]]/(x2 − px), where for simplicity we henceforth assume that Op is the p-adic integers and where Op [[x]] denotes power series with p-adic coefficients. The zeros of x2 − px are 0 and p, so this ring corresponds to the geometric object • 0

S1 :

• p

The tangent space is represented by the set obtained by looking only at the linear terms, namely {ax | a ∈ Op } mod (px). Since a1 x ≡ a2 x mod px

⇐⇒

a1 ≡ a2

(mod p),

the tangent space can be identified with Zp . As another example, consider the ring Op [[x]]/(x(x − p)(x − p3 )), which corresponds to the geometric object S2 :

• 0

• p

• p3

The tangent space is Zp4 . There is an inclusion S1 ⊂ S2 , which corresponds to the natural ring homomorphism Op [[x]]/(x(x − p)(x − p3 )) −→ Op [[x]]/(x2 − px). The map on tangent spaces is the map from Zp4 to Zp that takes a number mod p4 and reduces it mod p. Now consider the ring Op [[x, y]]/(x2 −px, y 2 −py). In this case, we are looking at power series in two variables, and two power series are congruent if their

SECTION 15.4 SKETCH OF WILES’S PROOF

467

difference is a linear combination of the form A(x, y)(x2 −px)+B(x, y)(y 2 −py) with A, B ∈ Op [[x, y]]. The corresponding geometric object is • • (0, p) (p, p) S3 :

• • (0, 0) (p, 0)

It can be shown that two power series give the same function on this set of four points if they differ by a linear combination of x2 − px and y 2 − py. The tangent space is represented by {ax + by | a, b ∈ Op }

mod (px, py),

which means we are considering two linear polynomials to be congruent if their difference is a linear combination of px and py. It is easy to see that a1 x + b1 y ≡ a2 x + b2 y

mod (px, py)

⇐⇒

a1 ≡ a2 ,

b1 ≡ b2

(mod p).

Therefore, the tangent space is isomorphic to Zp ⊕ Zp . The inclusion S1 ⊂ S3 corresponds to the ring homomorphism Op [[x, y]]/(x2 − px, y 2 − py) −→ Op [[x]]/(x2 − px). The map on tangent spaces is the map Zp ⊕ Zp → Zp given by projection onto the first factor. In all three examples above, the rings are given by power series over Op . The number of variables equals the number of relations and the resulting ring is a finitely generated Op -module (this is easily verified in the three examples). Such rings are called local complete intersections. For such rings, it is possible to recognize when a map is an isomorphism by looking at the tangent spaces. Before proceeding, let’s look at an example that is not a local complete intersection. Consider the ring Op [[x, y]]/(x2 − px, y 2 − py, xy). The corresponding geometric object is • (0, p) S4 :

• • (0, 0) (p, 0)

468

CHAPTER 15 FERMAT’S LAST THEOREM

There are two variables and three relations, so we do not have a complete intersection. The tangent space is Zp ⊕Zp . The inclusion S4 ⊂ S3 corresponds to the ring homomorphism Op [[x, y]]/(x2 − px, y 2 − py) −→ Op [[x, y]]/(x2 − px, y 2 − py, xy) and the map on tangent spaces is an isomorphism. However, S3 = S4 . The problem is that the tangent space calculation does not notice the relation xy, which removed the point (p, p) from S3 to get S4 . Therefore, the tangent space thinks this point is still there and incorrectly predicts an isomorphism between the three point space and the four point space. The general fact we need is that if we have a surjective homomorphism of rings that are local complete intersections, and if the induced map on tangent spaces is an isomorphism, then the ring homomorphism is an isomorphism.

Deformations of Galois representations Now let’s return to our sets A and M . Corresponding to these two sets are rings RA and RM . We have g0 ∈ M ⊆ A. Let TA and TM be the tangent spaces at g0 . In the examples above, the base point g0 would correspond to x = 0 or to (x, y) = (0, 0). Corresponding to the inclusion M ⊆ A, there are surjective maps RA −→ RM , TA −→ TM . Therefore, #TM ≤ #TA . The ring RM can be constructed using the Hecke algebra and the ring RA is constructed using results about representability of functors. In fact, it was shown that there is a representation ρuniversal : G −→ GL2 (RA ) with the following property. Let ρ : G −→ GL2 (Op ) be a representation and let g be the potential modular form attached to ρ. Assume that ρ is unramified outside a fixed finite set of primes. If g ≡ g0 (mod p˜), then there exists a unique ring homomorphism φ : RA −→ Op such that the diagram ρ

universal / GL2 (RA ) G PPP PPP PPP P φ ρ PPP P'  GL2 (Op )

SECTION 15.4 SKETCH OF WILES’S PROOF

469

commutes. The representations ρ such that g ≡ g0 (mod p˜) are examples of what are known as deformations of the Galois representation for g0 . The representation ρuniversal is called a universal deformation. Example 15.3 We continue with Example 13.2. Let p = 5 and take the fixed set of primes to be {5, 17, 37}. Then it can be shown that RA  O5 [[x]]/(x2 − bx), where b/5 is a 5-adic unit and O5 is the ring of 5-adic integers. This implies that TA = Z5 . The set A has two points, g0 and g, corresponding to x = 0 and x = b. There exists an integer n, defined below, such that n ≤ #TM ≤ #TA . Moreover, a result of Flach shows that n · TA = 0. If it can be shown that n = #TA , then TA = TM . In our example, n = 5. Since we know that TA = Z5 , we have n = #TA . Therefore, TA = TM . It can be shown that RA and RM are local complete intersections. This yields RA = RM and A = M . This implies that g is a modular form. In general, recall that we started with a semistable elliptic curve E. Associated to E is the 3-adic Galois representation ρ3∞ . The theorem of LanglandsTunnell yields a modular form g0 , and therefore a Galois representation ρ0 : G −→ GL2 (O3 ). We have ρ3∞ ≡ ρ0

(mod ˜3),

so the base point ρ0 is modular and semistable mod ˜3 (the notion of semistability can be defined for general Galois representations). Under the additional √ assumption that ρ3 restricted to Gal(Q/Q( −3)) is absolutely irreducible, Wiles showed that if RM is a local complete intersection then n = #TA and the map RA → RM is an isomorphism of local complete intersections. Finally, in 1994, Wiles and Taylor used an ingenious argument to show that RM is a local complete intersection, and therefore A = M . What happens if ρ3 does not satisfy the irreducibility assumption? Wiles showed that there is a semistable elliptic curve E  with the same mod 5 representation as E but whose mod 3 representation is irreducible. Therefore, E  is modular, so the mod 5 representation of E  is modular. This means that the mod 5 representation of E is modular. If the mod 5 representation,

470

CHAPTER 15 FERMAT’S LAST THEOREM

√ restricted to Gal(Q/Q( 5)), is absolutely irreducible, then the above result of Wiles, with 5 in place of 3, shows that E is modular. There are only finitely many elliptic curves over Q for which both the mod 3 √ representation (restricted√to Gal(Q/Q( −3))) and the mod 5 representation (restricted to Gal(Q/Q( 5))) are not absolutely irreducible. These finitely many exceptions can be proved to be modular individually. Therefore, semistable elliptic curves over Q are modular. Eventually, the argument was extended by Breuil, Conrad, Diamond, and Taylor to include all elliptic curves over Q (Theorem 14.4). bm q m and let The integer n is defined as follows. Let g0 = L(g0 , s) =

∞


bm m−s =

m=1





1 − b

−s +
1−2s

−1

,

primes
∈S

where S is a finite set of bad primes (in our example, S = {5, 17, 37}). Write 1 − b
X +
X 2 = (1 − α
X)(1 − β
X). The symmetric square L-function is defined to be  −1 L(Sym2 g0 , s) = (1 − α
2
−s )(1 − β
2
−s )(1 − α
β

−s ) .
∈S

There exists a naturally defined transcendental number Ω (similar to the periods considered in Section 9.4), defined by a double integral, such that L(Sym2 g0 , 2) = r = a rational number. Ω The number n is defined to be the p-part of r (that is, n is a power of p such that r equals n times a rational number with numerator and denominator prime to p). The formula that Wiles proved is therefore that L(Sym2 g0 , 2)/Ω equals #TA times a rational number prime to p. This means that the order of an algebraic object, namely TA , is expressed in terms of the value of an analytic function, in this case the symmetric square L-function. This formula is therefore of a nature similar to the analytic class number of algebraic number theory, which expresses the class number in terms of an L-series, and the conjecture of Birch and Swinnerton-Dyer (see Section 14.2), which expresses the order of the Shafarevich-Tate group of an elliptic curve in terms of the value of its L-series.

Appendix A Number Theory

Basic results Let n be a positive integer and let Zn be the set of integers mod n. It is a group with respect to addition. We can represent the elements of Zn by the numbers 0, 1, 2, . . . , n − 1. Let Z× n = {a | 1 ≤ a ≤ n, gcd(a, n) = 1}. Then Z× n is a group with respect to multiplication mod n. Let a ∈ Z× n . The order of a mod n is the smallest integer k > 0 such that ak ≡ 1 (mod n). The order of a mod n divides φ(n), where φ is the Euler φ-function. Let p be a prime and let a ∈ Z× p . The order of a mod p divides p − 1. A primitive root mod p is an integer g such that the order of g mod p equals p − 1. If g is a primitive root mod p, then every integer is congruent mod p to 0 or to a power of g. For example, 3 is a primitive root mod 7 and {1, 3, 9, 27, 81, 243} ≡ {1, 3, 2, 6, 4, 5}

(mod 7).

There are φ(p − 1) primitive roots mod p. In particular, a primitive root mod p always exists, so Z× p is a cyclic group. There is an easy criterion for deciding whether g is a primitive root mod p, assuming we know the factorization of p − 1: If g (p−1)/q ≡ 1 (mod p) for all primes q|p − 1, then g is a primitive root mod p. This can be proved by noting that if g is not a primitive root, then its order is a proper divisor of p − 1, hence divides (p − 1)/q for some prime q. One way to find a primitive root for p, assuming the factorization of p − 1 is known, is simply to test the numbers 2, 3, 5, 6, . . . successively until a primitive root is found. Since there are many primitive roots, one should be found fairly quickly in most cases. A very useful result in number theory is the following.

471

472

APPENDIX A

NUMBER THEORY

THEOREM A.1 (Chinese Remainder Theorem) Let n1 , n2 , . . . , nr be positive integers such that gcd(ni , nj ) = 1 when i = j. Let a1 , a2 , . . . , ar be integers. Then there exists an x such that x ≡ ai

(mod ni )

for all i.

The integer x is uniquely determined mod n1 n2 · · · nr . For example, let n1 = 4, n2 = 3, n3 = 5 and let a1 = 1, a2 = 2, a3 = 3. Then x = 53 is a solution to the simultaneous congruences x≡1

(mod 4),

x≡2

(mod 3),

x≡3

(mod 5),

and any solution x satisfies x ≡ 53 (mod 60). Another way to state the Chinese Remainder Theorem is to say that if gcd(ni , nj ) = 1 for i = j, then Zn1 n2 ···nr  Zn1 ⊕ · · · ⊕ Znr (see Appendix B for the definition of ⊕). This is an isomorphism of additive groups. It is also an isomorphism of rings.

p-adic numbers Let p be a prime number and let x be a nonzero rational number. Write a x = pr , b where a, b are integers such that p
ab. Then r is called the p-adic valuation of x and is denoted by r = vp (x). Define vp (0) = ∞. (The p-adic valuation is discussed in more detail in Sections 5.4 and 8.1.) The p-adic absolute value of x is defined to be |x|p = p−r . Define |0|p = 0. For example,




12


= 1,
35
4 2




11



250
= 125, 5





1
− 41
= 1 .

2 81 3

The last example says that 1/2 and 41 are close 3-adically. Note that two integers are close p-adically if and only if they are congruent mod a large power of p.

p-ADIC NUMBERS

473

The p-adic integers are most easily regarded as sums of the form ∞ 

an pn ,

an ∈ {0, 1, 2, . . . , p − 1}.

n=0

Such infinite sums do not converge in the real numbers, but they do make sense with the p-adic absolute value since |an pn |p → 0 as n → ∞. Arithmetic operations are carried out just as with finite sums. For example, in the 3-adic integers, (1 + 2 · 3 + 0 · 32 + · · · ) + (1 + 2 · 3 + 1 · 32 + · · · ) = 2 + 4 · 3 + 1 · 32 + · · · = 2 + 1 · 3 + 2 · 32 + · · · (where we wrote 4 = 1 + 3 and regrouped, or “carried,” to obtain the last expression). If x = ak pk + ak+1 pk+1 + · · · with ak = 0, then −x = (p − ak )pk + (p − 1 − ak+1 )pk+1 + (p − 1 − ak+2 )pk+2 + · · · (A.1) (use the fact that pk+1 + (p − 1)pk+1 + (p − 1)pk+2 + · · · = 0 because the sum telescopes, so all the terms cancel). Therefore, p-adic integers have additive inverses. It is not hard to show that the p-adic integers form a ring. Any rational number with denominator not divisible by p is a p-adic integer. For example, in the 3-adics, −1 1 = = −(1 + 3 + 32 + · · · ) = 2 + 3 + 32 + · · · , 2 1−3 where we used (A.1) for the last equality. In fact, it can be shown that if ∞ x = n=0 an pn is a p-adic integer with a0 = 0, then 1/x is a p-adic integer. The p-adic rationals, which we denote by Qp , are sums of the form y=

∞ 

an pn ,

(A.2)

n=m

with m positive or negative or zero and with an ∈ {0, 1, . . . , p − 1}. If y ∈ Qp , then pk y is a p-adic integer for some integer k. The p-adic rationals form a field, and every rational number lies in Qp . If am = 0 in (A.2), then we define vp (y) = m,

|y|p = p−m .

This agrees with the definitions of the p-adic valuation and absolute value defined above when y is a rational number. Another way to look at p-adic integers is the following. Consider sequences of integers x1 , x2 , . . . such that xm ≡ xm+1

(mod pm )

(A.3)

474

APPENDIX A

NUMBER THEORY

for all m ≥ 1. Since xm ≡ xk (mod pm ) for all k ≥ m, the base p expansions for all xk with k ≥ m must agree through the pm−1 term. Therefore, the sequence of integers xm determines an expression of the form ∞ 

an pn ,

n=0

where xm ≡

m−1 

an pn

(mod pm )

n=0

for all m. In other words, the sequence of integers determines a p-adic integer. Conversely, the partial sums of a p-adic integer determine a sequence of integers satisfying (A.3). Let’s use these ideas to show that −1 is a square in the 5-adic integers. Let x1 = 2, so x21 ≡ −1 (mod 5). Suppose we have defined xm such that x2m ≡ −1 (mod 5m ). Let xm+1 = xm + b5m , where b≡

−1 − x2m 2 · 5m xm

(mod 5).

Note that x2m ≡ −1 (mod 5m ) implies that the right side of this last congruence is defined mod 5. A quick calculation shows that x2m+1 ≡ −1 (mod 5m+1 ). Since (A.3) is satisfied, there is a 5-adic integer x with x ≡ xm (mod 5m ) for all m. Moreover, x2 ≡ −1 (mod 5m ) for all m. This implies that x2 = −1. In general, this procedure leads to the following very useful result. THEOREM A.2 (Hensel’s Lemma) Let f (X) be a polynomial with coefficients that are p-adic integers and suppose x1 is an integer such that f (x1 ) ≡ 0 (mod p). If

f  (x1 ) ≡ 0

(mod p),

p-ADIC NUMBERS

475

then there exists a p-adic integer x with x ≡ x1 (mod p) and f (x) = 0. COROLLARY A.3 Let p be an odd prime and suppose b is a p-adic integer that is a nonzero square mod p. Then b is the square of a p-adic integer. The corollary can be proved by exactly the same method that was used to prove that −1 is a square in the 5-adic integers. The corollary can also be deduced from the theorem as follows. Define f (X) = X 2 − b and let x21 ≡ b (mod p). Then f (x1 ) ≡ 0 (mod p) and f  (x1 ) = 2x1 ≡ 0

(mod p)

since p is odd and x1 ≡ 0 by assumption. Hensel’s Lemma shows that there is a p-adic integer x with f (x) = 0. This means that x2 = b, as desired. When p = 2, the corollary is not true. For example, 5 is a square mod 2 but is not a square mod 8, hence is not a 2-adic square. However, the inductive procedure used above yields the following: PROPOSITION A.4 If b is a 2-adic integer such that b ≡ 1 (mod 8) then b is the square of a 2-adic integer.

Appendix B Groups

Basic definitions Since most of the groups in this book are additive abelian groups, we’ll use additive notation for the group operations in this appendix. Therefore, a group G has a binary operation + that is associative. There is an additive identity that we’ll call 0 satisfying 0+g =g+0=g for all g ∈ G. Each g ∈ G is assumed to have an additive inverse −g satisfying (−g) + g = g + (−g) = 0. If n is a positive integer, we let ng = g + g + · · · + g

(n summands).

If n < 0, we let ng = −(|n|g) = −(g + · · · + g). Almost all of the groups in this book are abelian, which means that g + h = h + g for all g, h ∈ G. If G is a finite group, the order of G is the number of elements in G. The order of an element g ∈ G is the smallest integer k > 0 such that kg = 0. If k is the order of g, then ig = jg ⇐⇒ i ≡ j

(mod k).

The basic result about orders is the following. THEOREM B.1 (Lagrange’s Theorem) Let G be a finite group. 1. Let H be a subgroup of G. Then the order of H divides the order of G. 2. Let g ∈ G. Then the order of g divides the order of G.

477

478

APPENDIX B

GROUPS

The ratio #G/#H is called the index of H in G. More generally, the index of a (possibly infinite) subgroup H in a group G is the smallest number n of elements such that we can write G as a union of translates of G by elements gi ∈ G: G = ∪ni=1 (gi + H) . For example, Z = (0 + 3Z) ∪ (1 + 3Z) ∪ (2 + 3Z), so the index of 3Z in Z is 3. A cyclic group is a group isomorphic to either Z or Zn for some n. These groups have the property that they can be generated by one element. For example, Z4 is generated by 1, and it is also generated by 3 since {0, 3, 3 + 3, 3 + 3 + 3} is all of Z4 . The following result says that the converse of Lagrange’s theorem holds for finite cyclic groups. THEOREM B.2 Let G be a finite cyclic group of order n. Let d > 0 divide n. 1. G has a unique subgroup of order d. 2. G has d elements of order dividing d, and G has φ(d) elements of order exactly d (where φ(d) is Euler’s φ-function). For example, Z6 contains the subgroup {0, 2, 4} of order 3. The elements 2, 4 ∈ Z6 have order 3. The direct sum of two groups G1 and G2 is defined to be the set of ordered pairs formed from elements of G1 and G2 : G1 ⊕ G2 = {(g1 , g2 ) | g1 ∈ G1 , g2 ∈ G2 }. Ordered pairs can be added componentwise: (g1 , g2 ) + (h1 , h2 ) = (g1 + h1 , g2 + h2 ). This makes G1 ⊕G2 into a group with (0, 0) as the identity element. A similar definition holds for the direct sum of more than two groups. We write Gr for the direct sum of r copies of G. In particular, Zr denotes the set of r-tuples of integers, which is a group under addition.

Structure theorems Two groups, G1 and G2 , are said to be isomorphic if there exists a bijection ψ : G1 → G2 such that ψ(gh) = ψ(g)ψ(h) for all g, h ∈ G1 (note that the multiplication gh is in G1 while the multiplication ψ(g)ψ(h) takes place in G2 ).

STRUCTURE THEOREMS

479

THEOREM B.3 A finite abelian group is isomorphic to a group of the form Zn1 ⊕ Zn2 ⊕ · · · ⊕ Zns with ni |ni+1 for i = 1, 2, . . . , s − 1. The integers ni are uniquely determined by G. An abelian group G is called finitely generated if there is a finite set {g1 , g2 , . . . , gk } contained in G such that every element of G can be written (not necessarily uniquely) in the form m1 g1 + · · · + mk gk with mi ∈ Z. THEOREM B.4 A finitely generated abelian group is isomorphic to a group of the form Zr ⊕ Zn1 ⊕ Zn2 ⊕ · · · ⊕ Zns with r ≥ 0 and with ni |ni+1 for i = 1, 2, . . . , s − 1. The integers r and ni are uniquely determined by G. The subgroup of G isomorphic to Zn1 ⊕ Zn2 ⊕ · · · ⊕ Zns is called the torsion subgroup of G. The integer r is called the rank of G. This theorem can be used to prove the following. THEOREM B.5 Let G1 ⊆ G2 ⊆ G3 be groups and assume that, for some integer r, both G1 and G2 are isomorphic to Zr . Then G2 is isomorphic to Zr . For example, G1 = 12Z, G2 = 6Z, and G3 = Z, each of which is isomorphic as a group to Z, satisfy the theorem. This theorem is used in the text when G1 and G3 are lattices in C. Then G1 and G3 are isomorphic to Z2 . If G1 ⊆ G2 ⊆ G3 , then G2  Z2 , so there exist ω1 , ω2 such that G2 = Zω1 +Zω2 . Since G1 is a lattice, it contains two vectors that are linearly independent over R. Since G1 ⊆ G2 , this implies that ω1 and ω2 are linearly independent over R. Therefore, G2 is a lattice.

480

APPENDIX B

GROUPS

Homomorphisms Let G1 , G2 be groups. A homomorphism from G1 to G2 is a map ψ : G1 → G2 such that ψ(g + h) = ψ(g) + ψ(h) for all g, h ∈ G1 . In other words, the map takes sums in G1 to the corresponding sums in G2 . The kernel of ψ is Ker ψ = {g ∈ G1 | ψ(g) = 0}. The image of ψ is denoted ψ(G1 ), which is a subgroup of G2 . The main result we need is the following. THEOREM B.6 Assume G1 is a finite group and ψ : G1 → G2 is a homomorphism. Then #G1 = (#Ker ψ) (#ψ(G1 )) . In fact, in terms of quotient groups, G1 /Ker ψ  ψ(G1 ).

Appendix C Fields Let K be a field. There is a ring homomorphism ψ : Z → K that sends 1 ∈ Z to 1 ∈ K. If ψ is injective, then we say that K has characteristic 0. Otherwise, there is a smallest positive integer p such that ψ(p) = 0. In this case, we say that K has characteristic p. If p factors as ab with 1 < a ≤ b < p, then ψ(a)ψ(b) = ψ(p) = 0, so ψ(a) = 0 or ψ(b) = 0, contradicting the minimality of p. Therefore, p is prime. When K has characteristic 0, the field Q of rational numbers is contained in K. When K has characteristic p, the field Fp of integers mod p is contained in K. Let K and L be fields with K ⊆ L. If α ∈ L, we say that α is algebraic over K if there exists a nonconstant polynomial f (X) = X n + an−1 X n−1 + · · · + a0 with a0 , . . . , an−1 ∈ K such that f (α) = 0. We say that L is an algebraic over K, or that L is an algebraic extension of K, if every element of L is algebraic over K. An algebraic closure of a field K is a field K containing K such that 1. K is algebraic over K. 2. Every nonconstant polynomial g(X) with coefficients in K has a root in K (this means that K is algebraically closed). If g(X) has degree n and has a root α ∈ K, then we can write g(X) = (X − α)g1 (X) with g1 (X) of degree n − 1. By induction, we see that g(X) has exactly n roots (counting multiplicity) in K. It can be shown that every field K has an algebraic closure, and that any two algebraic closures of K are isomorphic. Throughout the book, we implicitly assume that a particular algebraic closure of a field K has been chosen, and we refer to it as the algebraic closure of K. When K = Q, the algebraic closure Q is the set of complex numbers that are algebraic over Q. When K = C, the algebraic closure is C itself, since the fundamental theorem of algebra states that C is algebraically closed.

481

482

APPENDIX C FIELDS

Finite fields Let p be a prime. The integers mod p form a field Fp with p elements. It can be shown that the number of elements in a finite field is a power of a prime, and for each power pn of a prime p, there is a unique (up to isomorphism) field with pn elements. (Note: The ring Zpn is not a field when n ≥ 2 since p does not have a multiplicative inverse; in fact, p is a zero divisor since p · pn−1 ≡ 0 (mod pn ).) In this book, the field with pn elements is denoted Fpn . Another notation that appears often in the literature is GF (pn ). It can be shown that Fpm ⊆ Fpn

⇐⇒

m|n.

The algebraic closure of Fp can be shown to be Fp =



Fpn .

n≥1

THEOREM C.1 Let Fp be the algebraic closure of Fp and let q = pn . Then Fq = {α ∈ Fp | αq = α}. PROOF The group F× q of nonzero elements of Fq forms a group of order q − 1, so αq−1 = 1 when 0 = α ∈ Fq . Therefore, αq = α for all α ∈ Fq . Recall that a polynomial g(X) has multiple roots if and only if g(X) and g  (X) have a common root. Since d (X q − X) = qX q−1 − 1 = −1 dX (since q = pn = 0 in Fp ), the polynomial X q − X has no multiple roots. Therefore, there are q distinct α ∈ Fp such that αq = α. Since both sets in the statement of the theorem have q elements and one is contained in the other, they are equal. Define the q-th power Frobenius automorphism φq of Fq by the formula φq (x) = xq PROPOSITION C.2 Let q be a power of the prime p. 1. Fq = Fp .

for all x ∈ Fq .

FINITE FIELDS

483

2. φq is an automorphism of Fq . In particular, φq (x + y) = φq (x) + φq (y),

φq (xy) = φq (x)φq (y)

for all x, y ∈ Fq . 3. Let α ∈ Fq . Then α ∈ Fqn

φnq (α) = α.

⇐⇒

PROOF Part (1) is a special case of a more general fact: If K ⊆ L and every element of L is algebraic over K, then L = K. This can be proved as follows. If α is algebraic over L and L is algebraic over K, then a basic property of algebraicity is that α is then algebraic over K. Therefore, L is algebraic over K and is algebraically closed. Therefore, it is an algebraic closure of K. Part (3) is just a restatement of Theorem C.1, with q n in place of q. We now prove part (2). If 1 ≤ j ≤ p − 1, the binomial coefficient pj has a factor of p in its numerator that is not canceled by the denominator, so   p ≡ 0 (mod p). j Therefore,

    p p−1 p p−2 2 x y+ x y + · · · + yp (x + y) = x + 1 2 = xp + y p p

p

since we are working in characteristic p. An easy induction yields that n

n

n

(x + y)p = xp + y p

for all x, y ∈ Fp . This implies that φq (x + y) = φq (x) + φq (y). The fact that φq (xy) = φq (x)φq (y) is clear. This proves that φq is a homomorphism of fields. Since a homomorphism of fields is automatically injective (see the discussion preceding Proposition C.5), it remains to prove that φq is surjective. If α ∈ Fp , then α ∈ Fqn for some n, so φnq (α) = α. Therefore, α is in the image of φq , so φq is surjective. Therefore, φq is an automorphism. × In Appendix A, it was pointed out that F× p = Zp is a cyclic group, generated by a primitive root. More generally, it can be shown that F× q is a cyclic group. A useful consequence is the following.

PROPOSITION C.3 Let m be a positive integer with p
m and let µm be the group of mth roots of unity. Then ⇐⇒ m|q − 1. µm ⊆ F× q

484

APPENDIX C FIELDS

PROOF By Lagrange’s theorem (see Appendix B), if µm ⊆ F× q , then is cyclic of order q − 1, it m|q − 1. Conversely, suppose m|q − 1. Since F× q has a subgroup of order m (see Appendix B). By Lagrange’s theorem, the elements of this subgroup must satisfy xm = 1, hence they must be the m elements of µm . Let Fq ⊆ Fqn be finite fields. We can regard Fqn as a vector space of dimension n over Fq . This means that there is a basis {β1 , . . . , βn } of elements of Fqn such that every element of Fqn has a unique expression of the form a1 β1 + · · · + an βn with a1 , . . . , an ∈ Fq . The next result says that it is possible to choose a basis of a particularly nice form, sometimes called a normal basis. PROPOSITION C.4 There exists β ∈ Fqn such that {β, φq (β), . . . , φn−1 (β)} q is a basis of Fqn as a vector space over Fq . An advantage of a normal basis is that the qth power map becomes a shift operator on the coordinates: Let x = a1 β + a2 φq (β) + · · · + an φn−1 (β), q with ai ∈ Fq . Then aqi = ai and φnq (β) = β, so (β q ) xq = a1 β q + a2 φq (β q ) + · · · + an φn−1 q (β) = an φnq (β) + a1 φq (β) + · · · + an−1 φn−1 q (β). = an β + a1 φq (β) + · · · + an−1 φn−1 q Therefore, if x has coordinates (a1 , . . . , an ) with respect to the normal basis, then xq has coordinates (an , a1 , . . . , an−1 ). Therefore, the computation of qth powers is very fast and requires no calculation in Fqn . This has great computational advantages.

Embeddings and automorphisms Let K be a field of characteristic 0, so Q ⊆ K. An element α ∈ K is called transcendental if it is not the root of any nonzero polynomial with

EMBEDDINGS AND AUTOMORPHISMS

485

rational coefficients, that is, if it is not algebraic over Q. A set of elements S = {αi } ⊆ K (with i running through some (possibly infinite) index set I) is called algebraically dependent if there are n distinct elements α1 , . . . , αn of S, for some n ≥ 1, and a nonzero polynomial f (X1 , . . . , Xn ) with rational coefficients such that f (α1 , . . . , αn ) = 0. The set S is called algebraically independent if it is not algebraically dependent. This means that there is no polynomial relation among the elements of S. A maximal algebraically independent subset of K is called a transcendence basis of K. The transcendence degree of K over Q is the cardinality of a transcendence basis (the cardinality is independent of the choice of transcendence basis). If every element of K is algebraic over Q, then the transcendence degree is 0. The transcendence degree of C over Q is infinite, in fact, uncountably infinite. Let K be a field of characteristic 0, and choose a transcendence basis S. Let F be the field generated by Q and the elements of S. The maximality of S implies that every element of K is algebraic over F . Therefore, K can be obtained by starting with Q, adjoining algebraically independent transcendental elements, then making an algebraic extension. Let K and L be fields and let f : K → L be a homomorphism of fields. We always assume f maps 1 ∈ K to 1 ∈ L. Then f is injective. One way to see this is to note that if 0 = x ∈ K, then 1 = f (x)f (x−1 ) = f (x)f (x)−1 ; since f (x) has a multiplicative inverse, it cannot be 0. The following result is very useful. It is proved using Zorn’s Lemma (see [71]). PROPOSITION C.5 Let K and L be fields. Assume that L is algebraically closed and that there is a field homomorphism f : K −→ L. Then there is a homomorphism f˜ : K → L such that f˜ restricted to K is f . Proposition C.5 has the following nice consequence. COROLLARY C.6 Let K be a field of characteristic 0. Assume that K has finite transcendence degree over Q. Then there is a homomorphism K → C. Therefore, K can be regarded as a subfield of C. PROOF Choose a transcendence basis S = {α1 , . . . , αn } of K and let F be the field generated by Q and S. Since C has uncountable transcendence degree over Q, we can choose n algebraically independent elements τ1 , . . . , τn ∈ C. Define f : F → C by making f the identity map on Q and setting f (αj ) = τj for all j. The proposition says that f can be extended to f˜ : F → C. Since K is an algebraic extension of F , we have K ⊆ F . Restricting f˜ to K yields

486

APPENDIX C FIELDS

the desired homomorphism from K → C. Since a homomorphism of fields is injective, K is isomorphic to its image under this homomorphism. Therefore, K is isomorphic to a subfield of C. The proposition also holds, with a similar proof, if the transcendence degree of K is at most the cardinality of the real numbers, which is the cardinality of a transcendence basis of C. If α ∈ C is algebraic over Q, then f (α) = 0 for some nonzero polynomial with rational coefficients. Let Aut(C) be the set of field automorphisms of C and let σ ∈ Aut(C). Then σ(1) = 1, from which it follows that σ is the identity on Q. Therefore, 0 = σ(f (α)) = f (σ(α)), so σ(α) is one of the finitely many roots of f (X). The next result gives a converse to this fact. PROPOSITION C.7 Let α ∈ C. If the set

{σ(α) | σ ∈ Aut(C)},

where σ runs through all automorphisms of C, is finite, then α is algebraic over Q. PROOF Suppose α is transcendental. There is a transcendence basis S of C with α ∈ S. Then C is algebraic over the field F generated by Q and S. The map σ : F −→ F α −→ α + 1 β −→ β

when β ∈ S, β = α

defines an automorphism of F . By Proposition C.5, σ can be extended to a map σ ˜ : C → C. We want to show that σ ˜ is an automorphism, which means that we must show that σ ˜ is surjective. Let y ∈ C. Since y is algebraic over F , there is a nonzero polynomial g(X) with coefficients in F such that −1 g(y) = 0. Let g σ denote the result of applying σ −1 to all of the coefficients of g (note that we know σ −1 exists on F because we already know that σ is −1 an automorphism of F ). For any root r of g σ , we have −1

σ (r)). 0=σ ˜ g σ (r) = g(˜ −1

Therefore, σ ˜ maps the roots of g σ to roots of g. Since the two polynomials have the same number of roots, σ ˜ gives a bijection between the two sets of

EMBEDDINGS AND AUTOMORPHISMS

487

roots. In particular, σ ˜ (r) = y for some r. Therefore, y is in the image of σ ˜. This proves that σ ˜ is surjective, so σ ˜ is an automorphism of C. Since σ ˜ j (α) = α + j, the set of images of α under automorphisms of C is infinite, in contradiction to our assumption. Therefore, α cannot be transcendental, hence must be algebraic. REMARK C.8 In Proposition C.7, the assumption that the set is finite can be changed to assuming that the set is countable, with essentially the same proof. Namely, if α is transcendental, then, for any γ ∈ S, there is an automorphism σ satisfying σ(α) = α + γ. The fact that S is uncountable yields the result.

Appendix D Computer Packages There are several computer algebra packages available that do calculations on elliptic curves. In this appendix, we give a brief introduction to three of the major packages. Rather than give explanations of the structure of these packages, we simply include some examples of some computations that can be performed with them. The reader should consult the documentation that is available online or with the packages to see numerous other possibilities.

D.1 Pari Pari/GP is a free computer algebra system for number theory calculations. It can be downloaded from http://pari.math.u-bordeaux.fr/. Here is a transcript of a session, with commentary. GP/PARI CALCULATOR Version 2.3.0 (released) i686 running linux (ix86 kernel) 32-bit version compiled: Aug 16 2007, gcc-3.4.4 20050721 (Red Hat 3.4.4-2) (readline v4.3 enabled [was v5.0 in Configure], extended help available) Copyright (C) 2000-2006 The PARI Group PARI/GP is free software, covered by the GNU General Public License, and comes WITHOUT ANY WARRANTY WHATSOEVER. Type ? for help, \q to quit. Type ?12 for how to get moral (and possibly technical) support. parisize = 4000000, primelimit = 500000 First, we need to enter and initialize an elliptic curve. Let [a1 , a2 , a3 , a4 , a6 ] be the coefficients for the curve in generalized Weierstrass form. Start with the curve of Example 9.3: E1 : y 2 = x3 − 58347x + 3954150. ? e1=ellinit([0,0,0,-58347,3954150]) %1 = [0, 0, 0, -58347, 3954150, 0, -116694, 15816600,

489

490

APPENDIX D

COMPUTER PACKAGES

-3404372409, 2800656, -3416385600, 5958184124547072, 10091699281/2737152, [195.1547871847901607239497645, 75.00000000000000000000000000, -270.1547871847901607239497645], 0.1986024692687475355260042188, 0.1567132675477145982613047883*I, -6.855899811988574944063544705, -21.22835194662770142565252843*I, 0.03112364190214999895971387115] The output contains several parameters for the curve (type ?ellinit to see an explanation). For example, the periods ω1 = i0.156713 . . . and ω2 = 0.198602 . . . are entries. The j-invariant is the 13th entry: ? e1[13] %2 = 10091699281/2737152 Here is the curve E2 : y 2 = x3 + 73: ? e2=ellinit([0,0,0,0,73]) %3 = [0, 0, 0, 0, 73, 0, 0, 292, 0, 0, -63072, -2302128, 0, [-4.179339196381231892056376349, 2.089669598190615946028188174 + 3.619413915098187674530455654*I, 2.089669598190615946028188174 -3.619413915098187674530455654*I], 2.057651708004923756251055780, -1.028825854002461878125527890+0.5939928837575679811100134634*I, -2.644469941892436553395125300, 1.322234970946218276697562650 -2.290178149223208371431388983*I, 1.222230471806529890431614914] We can add the points (2, 9) and (3, 10), which lie on the curve: ? elladd(e2,[2,9],[3,10]) %4 = [-4, -3] We can compute the 3rd multiple of (2, 9): ? ellpow(e2,[2,9],3) %5 = [5111/625, -389016/15625] The torsion subgroup of the Mordell-Weil group can be computed: ? %6 ? %7

elltors(e1) = [10, [10], [[3, 1944]]] elltors(e2) = [1, [], []]

The first output says that the torsion subgroup of E1 (Q) has order 10, it is cyclic of order 10, and it is generated by the point (3, 1944). The second output says that the torsion subgroup of E2 (Q) is trivial. The number of points on an elliptic curve mod a prime p has the form p + 1 − ap . The value of a13 for E1 is computed as follows: ? ellap(e1,13) %8 = 4 Therefore, there are 13 + 1 − 4 = 10 points on E1 mod 13.

SECTION D.1

PARI

491

We can also compute with curves mod p. Let’s consider E3 : y 2 = x3 + 10x + 5 (mod 13) (this is the reduction of E1 mod 13): ? e3=ellinit([0,0,0,Mod(10,13),Mod(5,13)]) %9 = [0, 0, 0, Mod(10, 13), Mod(5, 13), 0, Mod(7, 13), Mod(7, 13), Mod(4, 13), Mod(1, 13), Mod(9, 13), Mod(2, 13), Mod(7, 13), 0, 0, 0, 0, 0, 0] Multiples of points can be computed as before: ? ellpow(e3,[Mod(3,13),Mod(7,13)],10) %10 = [0] ? ellpow(e3,[Mod(3,13),Mod(7,13)],5) %11 = [Mod(10, 13), Mod(0, 13)] The first output means that the 10th multiple of the point is ∞. The height pairing can be computed. For example, on E2 the pairing (2, 9), (3, 10) from Example 8.11 is computed as follows: ? ellbil(e2,[2,9],[3,10]) %12 = -0.9770434128038324411625933747 Pari works with the complex √ functions associated to an elliptic curve. For example, the value of j((1 + −171)/2) (see the beginning of Section 10.4) is computed as follows: ? ellj((1+sqrt(-171))/2) %13 = -694282057876536664.0122886865 + 0.0000000003565219231*I We know the value should be real. To increase the precision to 60 digits, type: ? \p 60 realprecision = 67 significant digits (60 digits displayed) Now, retype the previous command: ? ellj((1+sqrt(-171))/2) %14 = -694282057876536664.0122886867083074260443674536412446626 29851 - 7.05609883 E-49*I The imaginary part of the answer is less than 10−48 . To find other functions that are available, type ?. To find the functions that relate to elliptic curves, type ?5. To find how to use a command, for example elladd, type ?elladd elladd(e,z1,z2): curve e. To quit, type ? \q Goodbye!

sum of the points z1 and z2 on elliptic

492

APPENDIX D

COMPUTER PACKAGES

D.2 Magma Magma is a large computer algebra package. It requires a license to use. It is available on some institutional computers. For general information, see http://magma.maths.usyd.edu.au/magma/. The following is the transcript of a session, with commentary. The session starts: Magma V2.11-14 Thu Nov 1 2007 15:48:04 [Seed = 3635786414] Type ? for help. Type -D to quit. Let’s enter the elliptic curve E1 : y 2 = x3 − 58447x + 3954150 of Example 9.3. The vector represents the coefficients [a1 , a2 , a3 , a4 , a6 ] in generalized Weierstrass form. Unless otherwise specified, the curve is over the rational numbers. > E1:= EllipticCurve( [ 0, 0, 0, -58347, 3954150 ]); Note that the line needs to end with a semicolon. To find out what E1 is: > E1; Elliptic Curve defined by yˆ2 = xˆ3 - 58347*x + 3954150 over Rational Field Let’s also define E2 : y 2 = x3 + 73. Here we use the shortened form of the coefficient vector [a4 , a6 ] corresponding to (nongeneralized) Weierstrass form. > E2:= EllipticCurve( [ 0, 73 ]); Let’s add the points (2, 9) and (3, 10) on E2 . The notation E2![2,9] specifies that [2, 9] lives on E2 , rather than in some other set. > E2![2,9] + E2![3, 10]; (-4 : -3 : 1) Note that the answer is in projective coordinates. We could have done the computation with one or both points in projective coordinates. For example: > E2![2,9] + E2![3, 10, 1]; (-4 : -3 : 1) The identity element of E2 is > E2!0; (0 : 1 : 0) We can also define a point using := > S:= E2![2,9] + E2![3, 10]; To find out what S is: > S; (-4 : -3 : 1) The computer remembers that S lies on E2 , so we can add it to another point on E2 :

SECTION D.2

MAGMA

493

> S + E2![2, 9]; (6 : -17 : 1) To find the 3rd multiple of the point (2, 9) on E2 : > 3*E2![2,9]; (5111/625 : -389016/15625 :

1)

To find the torsion subgroup of E1 (Q): > TorsionSubgroup(E1); Abelian Group isomorphic to Z/10 Defined on 1 generator Relations: 10*$.1 = 0 Note that we obtained only an abstract group, not the points. To get the points, we define a group G and an isomorphism f from G to the set of points: > G, f:= TorsionSubgroup(E1); To obtain the first element of G, type: > f(G.1); (3 : 1944 :

1)

This is a torsion point in E1 (Q). Let’s reduce E1 mod 13. Define F to be the field with 13 elements and E3 to be E1 mod 13: > F:= GF(13); > E3:= ChangeRing( E1, F ); > E3; Elliptic Curve defined by yˆ2 = xˆ3 +10*x + 5 over GF(13) The last command was not needed. It simply identified the nature of E3 . We also could have defined a curve over F13 . The command F!10 puts 10 into F13 , which forces everything else, for example 5, to be in F13 : > E4:= EllipticCurve( [F!10, 5]); > E4; Elliptic Curve defined by yˆ2 = xˆ3 +10*x + 5 over GF(13) > E3 eq E4; true The last command asked whether E3 is the same as E4 . The answer was yes. We can find out how many points there are in E3 (F13 ), or we can list all the points: > #E3; 10 > Points(E3); {@ (0 : 1 : 0), (1 : 4 : 1), (1 : 9 : 1), (3 : 6 : 1), (3 : 7 : 1), (8 : 5 : 1), (8 : 8 : 1), (10 : 0 : 1),

494

APPENDIX D

(11 :

4 :

COMPUTER PACKAGES

1), (11 :

9 :

1) @}

The @’s in the last output specifies that the entries are a set indexed by positive integers. Let’s compute the Weil pairing e3 ((0, 3), (5, 1)) on the curve E5 : y 2 = x2 +2 over F7 , as in Example 11.5. > E5:= EllipticCurve([0, GF(7)!2]); > WeilPairing( E5![0,3], E5![5,1], 3); 4 The answer is 4, which is a cube root of unity in F7 . Note that this is the inverse of the Weil pairing used elsewhere in this book (cf. Remark 11.11). We can compute the Mordell-Weil group E2 (Q): > MordellWeilGroup(E2); Abelian Group isomorphic to Z + Z Defined on 2 generators (free) > Generators(E2); [ (2 : 9 : 1), (-4 : 3 : 1) ] To find a command that computes, for example, Mordell-Weil groups, type ?MordellWeil or ?Mordell to get an example or a list of examples. To quit Magma, type D For much more on Magma, go to http://magma.maths.usyd.edu.au/magma/htmlhelp/MAGMA.htm For elliptic curves, click on the Arithmetic Geometry link.

D.3 SAGE Sage is an open source computer algebra package that can be downloaded for free from www.sagemath.org/. For general information, see the web site, which also contains a tutorial and documentation. The following is the transcript of a session, with commentary. The session starts: Linux sage 2.6.17-12-386 #2 Sun Sep 23 22:54:19 UTC 2007 i686 The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. | SAGE Version 2.8.8.1, Release Date:

2007-10-21

|

SECTION D.3

SAGE

| Type notebook() for the GUI, and license() for information.

495 |

Let’s enter the elliptic curve E1 : y 2 = x3 − 58447x + 3954150 of Example 9.3. The vector represents the coefficients [a1 , a2 , a3 , a4 , a6 ] in generalized Weierstrass form. Unless otherwise specified, the curve is over the rational numbers. sage:

E1 = EllipticCurve([ 0, 0, 0, -58347, 3954150 ])

To find out what E1 is: sage: E1 Elliptic Curve defined by yˆ2 = xˆ3 - 58347*x + 3954150 over Rational Field Let’s also define E2 : y 2 = x3 + 73. Here we use the shortened form of the coefficient vector [a4 , a6 ] corresponding to (nongeneralized) Weierstrass form. sage:

E2 = EllipticCurve([ 0, 73 ]);

Let’s add the points (2, 9) and (3, 10) on E2 : sage: (-4 :

E2([2,9]) + E2([3, 10]) -3 : 1)

Note that the answer is in projective coordinates. We could have done the computation with one or both points in projective coordinates. For example: sage: (-4 :

E2([2,9]) + E2([3, 10, 1]) -3 : 1)

The identity element of E2 is sage: E2(0) (0 : 1 : 0) We can also define a point: sage:

S = E2([2,9]) + E2([3, 10])

To find out what S is: sage: (-4 :

S -3 :

1)

The computer remembers that S lies on E2 , so we can add it to another point on E2 : sage: S + E2([2, 9]) (6 : -17 : 1) To find the 3rd multiple of the point (2, 9) on E2 : sage: 3*E2([2,9]) (5111/625 : -389016/15625 :

1)

To find the torsion subgroup of E1 (Q): sage: E1.torsion subgroup() Torsion Subgroup isomorphic to Multiplicative Abelian Group

496

APPENDIX D

COMPUTER PACKAGES

isomorphic to C10 associated to the Elliptic Curve defined by y2 = x3 - 58347*x + 3954150 over Rational Field C10 denotes the cyclic group of order 10. To get a generator: sage: E1.torsion subgroup().gen() (3 : 1944 : 1) The number of points on an elliptic curve mod a prime p has the form p + 1 − ap . The value of a13 for E1 is computed as follows: sage: E1.ap(13) 4 Therefore, there are 13 + 1 − 4 = 10 points on E1 mod 13. Let’s reduce E1 mod 13: sage: E3 = E2.change ring(GF(13)) sage: E3 Elliptic Curve defined by yˆ2 = xˆ3 +10*x + 5 over Finite Field of size 13 The last command was not needed. It simply identified the nature of E3 . We also could have defined a curve over F13 . sage: E4 = EllipticCurve(GF(13), [10, 5]) sage: E4 Elliptic Curve defined by yˆ2 = xˆ3 +10*x + 5 over Finite Field of size 13 sage: E3 is E4 True The last command asked whether E3 is the same as E4 . The answer was yes. We can find out how many points there are in E3 (F13 ), or we can list all the points: sage: 10 sage: [(0 : (11 : (8 : (1 : (10 : (1 : (3 : (8 : (11 : (3 :

E3.cardinality() E3.points() 1 : 0), 4 : 1), 5 : 1), 4 : 1), 0 : 1), 9 : 1), 6 : 1), 8 : 1), 9 : 1), 7 : 1)]

Consider the curve E5 : y 2 = x3 − 1 over F229 , as in Example 4.10. We can compute its group structure:

SECTION D.3

SAGE

497

sage: EllipticCurve(GF(229),[0,-1]).abelian group() (Multiplicative Abelian Group isomorphic to C42 x C6, ((62 : 25 : 1), (113 : 14 : 1))) Therefore, E5 (F229 )  Z42 ⊕ Z6 , and it has the listed generators. Let’s compute the rank and generators of the Mordell-Weil group E2 (Q): sage: E2.rank() 2 sage: E2.gens() [(-4 : 3 : 1),(2: 9 : 1)] The generators are the generators of the nontorsion part. The command does not yield generators of the torsion subgroup. For these, use the command E.torsion subgroup().gen() used previously. To find the periods ω1 and ω2 of E1 : sage: E1.period lattice.0 0.1986024692687475355260042188... sage: E1.period lattice.1 0.1567132675477145982613047883...*I The j-invariant of E1 is sage: E1.j invariant() 10091699281/2737152 To find a list of commands that start with a given string of letters, type those letters and then press the “Tab” key: sage: Ell (‘Tab’) Ellipsis EllipticCurve

EllipticCurve from c4c6 EllipticCurve from cubic

To find out about the command EllipticCurve, type sage: EllipticCurve? The output is a description with some examples. For more on SAGE, go to http://www.sagemath.org.

References [1] MFIPS 186-2. Digital signature standard. Federal Information Processing Standards Publication 186. U. S. Dept. of Commerce/National Institute of Standards and Technology, 2000. [2] M. Abdalla, M. Bellare, and P. Rogaway. The Oracle Diffie-Hellman assumption and an analysis of DHIES. Topics in cryptology - CT RSA 01. volume 2020 of Lecture Notes in Computer Science, Springer, Berlin, 2001, pages 143–158. [3] L. Adleman, J. DeMarrais, and M.-D. Huang. A subexponential algorithm for discrete logarithms over hyperelliptic curves of large genus over GF(q). Theoret. Comput. Sci., 226(1-2): 7–18, 1999. [4] L. V. Ahlfors. Complex analysis. McGraw-Hill Book Co., New York, third edition, 1978. An introduction to the theory of analytic functions of one complex variable, International Series in Pure and Applied Mathematics. [5] W. S. Anglin. The square pyramid puzzle. Amer. Math. Monthly, 97(2): 120–124, 1990. [6] M. F. Atiyah and C. T. C. Wall. Cohomology of groups. In Algebraic number theory (Proc. Instructional Conf., Brighton, 1965), pages 94– 115. Thompson, Washington, D.C., 1967. [7] A. O. L. Atkin and F. Morain. Elliptic curves and primality proving. Math. Comp., 61(203):29–68, 1993. [8] A. O. L. Atkin and F. Morain. Finding suitable curves for the elliptic curve method of factorization. Math. Comp., 60(201):399–405, 1993. [9] R. Balasubramanian and N. Koblitz. The improbability that an elliptic curve has subexponential discrete log problem under the MenezesOkamoto-Vanstone algorithm. J. Cryptology, 11(2):141–145, 1998. [10] J. Belding A Weil pairing on the p-torsion of ordinary elliptic curves over K[
]. J. Number Theory (to appear). [11] D. Bernstein and T. Lange. Faster addition and doubling on elliptic curves. Asiacrypt 2007 (to appear). [12] I. F. Blake, G. Seroussi, and N. P. Smart. Elliptic curves in cryptography, volume 265 of London Mathematical Society Lecture Note Series.

499

500

REFERENCES

Cambridge University Press, Cambridge, 2000. Reprint of the 1999 original. [13] D. Boneh. The decision Diffie-Hellman problem. In Algorithmic number theory (Portland, OR, 1998), volume 1423 of Lecture Notes in Comput. Sci., pages 48–63. Springer-Verlag, Berlin, 1998. [14] D. Boneh and N. Daswani. Experimenting with electronic commerce on the PalmPilot. In Financial Cryptography ’99, volume 1648 of Lecture Notes in Comput. Sci., pages 1–16. Springer-Verlag, Berlin, 1999. [15] D. Boneh and M. Franklin. Identity based encryption from the Weil pairing. In Advances in cryptology, Crypto 2001 (Santa Barbara, CA), volume 2139 of Lecture Notes in Comput. Sci., pages 213–229. SpringerVerlag, Berlin, 2001. [16] A. I. Borevich and I. R. Shafarevich. Number theory. Translated from the Russian by N. Greenleaf. Pure and Applied Mathematics, Vol. 20. Academic Press, New York, 1966. [17] J. M. Borwein and P. B. Borwein. Pi and the AGM. Canadian Mathematical Society Series of Monographs and Advanced Texts. John Wiley & Sons Inc., New York, 1987. A study in analytic number theory and computational complexity, A Wiley-Interscience Publication. [18] W. Bosma and H. W. Lenstra, Jr. Complete systems of two addition laws for elliptic curves. J. Number Theory, 53(2):229–240, 1995. [19] R. P. Brent, R. E. Crandall, K. Dilcher, and C. van Halewyn. Three new factors of Fermat numbers. Math. Comp., 69(231):1297–1304, 2000. [20] C. Breuil, B. Conrad, F. Diamond, and R. Taylor. On the modularity of elliptic curves over Q: wild 3-adic exercises. J. Amer. Math. Soc., 14(4):843–939, 2001. [21] K. S. Brown. Cohomology of groups, volume 87 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1994. Corrected reprint of the 1982 original. [22] D. G. Cantor. Computing in the Jacobian of a hyperelliptic curve. Math. Comp., 48(177):95–101, 1987. [23] J. W. S. Cassels. Lectures on elliptic curves, volume 24 of London Mathematical Society Student Texts. Cambridge University Press, Cambridge, 1991. [24] C. H. Clemens. A scrapbook of complex curve theory. Plenum Press, New York, 1980. The University Series in Mathematics. [25] H. Cohen. A course in computational algebraic number theory, volume 138 of Graduate Texts in Mathematics. Springer-Verlag, Berlin, 1993.

REFERENCES

501

[26] H. Cohen, A. Miyaji, and T. Ono. Efficient elliptic curve exponentiation using mixed coordinates. In Advances in cryptology—ASIACRYPT’98 (Beijing), volume 1514 of Lecture Notes in Comput. Sci., pages 51–65. Springer-Verlag, Berlin, 1998. [27] H. Cohen, G. Frey, R. Avanzi, C. Doche, T. Lange, K. Nguyen, and F. Vercauteren, editors. Handbook of elliptic and hyperelliptic curve cryptography Chapman & Hall/CRC, Boca Raton, 2005. [28] I. Connell. Addendum to a paper of K. Harada and M.-L. Lang: “Some elliptic curves arising from the Leech lattice” [J. Algebra 125 (1989), no. 2, 298–310]; J. Algebra, 145(2): 463–467, 1992. [29] G. Cornell, J. H. Silverman, and G. Stevens, editors. Modular forms and Fermat’s last theorem. Springer-Verlag, New York, 1997. Papers from the Instructional Conference on Number Theory and Arithmetic Geometry held at Boston University, Boston, MA, August 9–18, 1995. [30] D. A. Cox. The arithmetic-geometric mean of Gauss. Enseign. Math. (2), 30(3-4):275–330, 1984. [31] J. Cremona. Algorithms for modular elliptic curves, (2nd ed.). Cambridge University Press, 1997. [32] H. Darmon, F. Diamond, and R. Taylor. Fermat’s last theorem. In Current developments in mathematics, 1995 (Cambridge, MA), pages 1–154. Internat. Press, Cambridge, MA, 1994. [33] M. Deuring. Die Typen der Multiplikatorenringe elliptischer Funktionenk¨ orper. Abh. Math. Sem. Hamburg, 14:197–272, 1941. [34] L. E. Dickson. History of the theory of numbers. Vol. II: Diophantine analysis. Chelsea Publishing Co., New York, 1966. [35] D. Doud. A procedure to calculate torsion of elliptic curves over Q. Manuscripta Math., 95(4):463–469, 1998. [36] H. M. Edwards. A normal form for elliptic curves. Bull. Amer. Math. Soc. (N.S.), 44(3): 393–422, 2007. [37] N. D. Elkies. The existence of infinitely many supersingular primes for every elliptic curve over Q. Invent. Math., 89(3):561–567, 1987. [38] A. Enge. Elliptic curves and their applications to cryptography: An introduction. Kluwer Academic Publishers, Dordrecht, 1999. [39] E. Fouvry and M. Ram Murty. On the distribution of supersingular primes. Canad. J. Math., 48(1): 81-104, 1996. [40] G. Frey, M. M¨ uller, and H.-G. R¨ uck. The Tate pairing and the discrete logarithm applied to elliptic curve cryptosystems. IEEE Trans. Inform. Theory, 45(5):1717–1719, 1999.

502

REFERENCES

[41] G. Frey and H.-G. R¨ uck. A remark concerning m-divisibility and the discrete logarithm in the divisor class group of curves. Math. Comp., 62(206):865–874, 1994. [42] W. Fulton. Algebraic curves. Advanced Book Classics. Addison-Wesley Publishing Company Advanced Book Program, Redwood City, CA, 1989. An introduction to algebraic geometry, Notes written with the collaboration of R. Weiss, Reprint of 1969 original. [43] W. Fulton. Intersection theory. Springer-Verlag, Berlin, 1984. [44] S. Galbraith, K. Harrison, and D. Soldera. Implementing the Tate pairing. In Algorithmic number theory (Sydney, Australia, 2002), volume 2369 of Lecture Notes in Comput. Sci., pages 324–337. Springer-Verlag, Berlin, 2002. [45] S. D. Galbraith and N. P. Smart. A cryptographic application of Weil descent. In Cryptography and coding (Cirencester, 1999), volume 1746 of Lecture Notes in Comput. Sci., pages 191–200. Springer-Verlag, Berlin, 1999. [46] P. Gaudry, F. Hess, and N. P. Smart. Constructive and destructive facets of Weil descent on elliptic curves. J. Cryptology, 15(1):19–46, 2002. [47] S. Goldwasser and J. Kilian. Primality testing using elliptic curves. J. ACM, 46(4):450–472, 1999. [48] D. Hankerson, A. Menezes, and S. Vanstone. Guide to elliptic curve cryptography. Springer-Verlag, New York, 2004. [49] R. Hartshorne. Algebraic geometry. Springer-Verlag, New York, 1977. Graduate Texts in Mathematics, No. 52. ¨ [50] O. Herrmann. Uber die Berechnung der Fourierkoeffizienten der Funktion j(τ ). J. reine angew. Math., 274/275:187–195, 1975. Collection of articles dedicated to Helmut Hasse on his seventy-fifth birthday, III. [51] E. W. Howe. The Weil pairing and the Hilbert symbol. Math. Ann., 305(2):387–392, 1996. [52] D. Husemoller. Elliptic curves, (2nd ed.), volume 111 of Graduate Texts in Mathematics. Springer-Verlag, New York, 2004. With appendices by O. Forster, R. Lawrence, and S. Theisen. [53] H. Ito. Computation of the modular equation. Proc. Japan Acad. Ser. A Math. Sci., 71(3):48–50, 1995. [54] H. Ito. Computation of modular equation. II. Mem. College Ed. Akita Univ. Natur. Sci., (52):1–10, 1997.

REFERENCES

503

[55] M. J. Jacobson, N. Koblitz, J. H. Silverman, A. Stein, and E. Teske. Analysis of the xedni calculus attack. Des. Codes Cryptogr., 20(1):41– 64, 2000. [56] A. Joux. A one round protocol for tripartite Diffie-Hellman. In Algorithmic Number Theory (Leiden, The Netherlands, herefore maps2000), volume 1838 of Lecture Notes in Comput. Sci., pages 385–394. SpringerVerlag, Berlin, 2000. [57] A. Joux. The Weil and Tate pairings as building blocks for public key cryptosystems. In Algorithmic number theory (Sydney, Australia, 2002), volume 2369 of Lecture Notes in Comput. Sci., pages 20–32. Springer-Verlag, Berlin, 2002. [58] A. Joux and R. Lercier. Improvements to the general number field sieve for discrete logarithms in prime fields. A comparison with the Gaussian integer method. Math. Comp., 72(242):953–967, 2003. [59] E. Kani. Weil heights, N´eron pairings and V -metrics on curves. Rocky Mountain J. Math., 15(2):417–449, 1985. Number theory (Winnipeg, Man., 1983). [60] K. Kedlaya. Counting points on hyperelliptic curves using MonskyWashnitzer cohomology. J. Ramanujan Math. Soc., 16(4): 323-338, 2001; 18(4): 417-418, 2003. [61] A. W. Knapp. Elliptic curves, volume 40 of Mathematical Notes. Princeton University Press, Princeton, NJ, 1992. [62] N. Koblitz. Hyperelliptic cryptosystems. J. Cryptology, 1(3): 139–150, 1989. [63] N. Koblitz. CM-curves with good cryptographic properties. In Advances in cryptology—CRYPTO ’91 (Santa Barbara, CA, 1991), volume 576 of Lecture Notes in Comput. Sci., pages 279–287. Springer-Verlag, Berlin, 1992. [64] N. Koblitz. Introduction to elliptic curves and modular forms, volume 97 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1993. [65] N. Koblitz. A course in number theory and cryptography, volume 114 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1994. [66] N. Koblitz. Algebraic aspects of cryptography, volume 3 of Algorithms and Computation in Mathematics. Springer-Verlag, Berlin, 1998. With an appendix by A. J. Menezes, Y.-H. Wu, and R. J. Zuccherato. [67] D. S. Kubert. Universal bounds on the torsion of elliptic curves. Proc. London Math. Soc. (3), 33(2):193–237, 1976.

504

REFERENCES

[68] S. Lang. Elliptic curves: Diophantine analysis, volume 231 of Grundlehren der Mathematischen Wissenschaften. Springer-Verlag, Berlin, 1978. [69] S. Lang. Abelian varieties. Springer-Verlag, New York, 1983. Reprint of the 1959 original. [70] S. Lang. Elliptic functions, volume 112 of Graduate Texts in Mathematics. Springer-Verlag, New York, second edition, 1987. With an appendix by J. Tate. [71] S. Lang. Algebra, volume 211 of Graduate Texts in Mathematics. Springer-Verlag, New York, third edition, 2002. [72] H. Lange and W. Ruppert. Addition laws on elliptic curves in arbitrary characteristics. J. Algebra, 107(1):106–116, 1987. [73] G.-J. Lay and H. G. Zimmer. Constructing elliptic curves with given group order over large finite fields. In Algorithmic number theory (Ithaca, NY, 1994), volume 877 of Lecture Notes in Comput. Sci., pages 250–263. Springer-Verlag, Berlin, 1994. [74] H. W. Lenstra, Jr. Elliptic curves and number-theoretic algorithms. In Proceedings of the International Congress of Mathematicians, Vol. 1, 2 (Berkeley, Calif., 1986), pages 99–120, Providence, RI, 1987. Amer. Math. Soc. [75] H. W. Lenstra, Jr. Factoring integers with elliptic curves. Ann. of Math. (2), 126(3):649–673, 1987. [76] E. Liverance. Heights of Heegner points in a family of elliptic curves. PhD thesis, Univ. of Maryland, 1993. [77] B. Mazur. Rational isogenies of prime degree (with an appendix by D. Goldfeld). Invent. Math., 44(2):129–162, 1978. [78] H. McKean and V. Moll. Elliptic curves. Function theory, geometry, arithmetic. Cambridge University Press, Cambridge, 1997. [79] A. Menezes and M. Qu. Analysis of the Weil descent attack of Gaudry, Hess and Smart. In Topics in cryptology—CT-RSA 2001 (San Francisco, CA), volume 2020 of Lecture Notes in Comput. Sci., pages 308– 318. Springer-Verlag, Berlin, 2001. [80] A. J. Menezes, T. Okamoto, and S. A. Vanstone. Reducing elliptic curve logarithms to logarithms in a finite field. IEEE Trans. Inform. Theory, 39(5):1639–1646, 1993. [81] A. J. Menezes, P. C. van Oorschot, and S. A. Vanstone. Handbook of applied cryptography. CRC Press Series on Discrete Mathematics and its Applications. CRC Press, Boca Raton, FL, 1997. With a foreword by R. L. Rivest.

REFERENCES

505

[82] A. Menezes. Elliptic curve public key cryptosystems, volume 234 of The Kluwer International Series in Engineering and Computer Science. Kluwer Academic Publishers, Boston, MA, 1993. With a foreword by N. Koblitz. [83] V. Miller The Weil pairing and its efficient calculation. J. Cryptology, 17(4):235-161, 2004. [84] T. Nagell. Sur les propri´et´es arithm´etiques des cubiques planes du premier genre. Acta Math., 52:93–126, 1929. [85] J. Oesterl´e. Nouvelles approches du “th´eor`eme” de Fermat. Ast´erisque, (161-162):Exp. No. 694, 4, 165–186 (1989). S´eminaire Bourbaki, Vol. 1987/88. [86] IEEE P1363-2000. Standard specifications for public key cryptography. [87] J. M. Pollard. Monte Carlo methods for index computation (mod p). Math. Comp., 32(143):918–924, 1978. [88] V. Prasolov and Y. Solovyev. Elliptic functions and elliptic integrals, volume 170 of Translations of Mathematical Monographs. American Mathematical Society, Providence, RI, 1997. Translated from the Russian manuscript by D. Leites. [89] K. A. Ribet. From the Taniyama-Shimura conjecture to Fermat’s last theorem. Ann. Fac. Sci. Toulouse Math. (5), 11(1):116–139, 1990. [90] K. A. Ribet. On modular representations of Gal(Q/Q) arising from modular forms. Invent. Math., 100(2):431–476, 1990. [91] A. Robert. Elliptic curves. Springer-Verlag, Berlin, 1973. Lecture Notes in Mathematics, Vol. 326. [92] A. Rosing. Implementing elliptic curve cryptography. Manning Publications Company, 1999. [93] H.-G. R¨ uck. A note on elliptic curves over finite fields. Math. Comp., 49(179):301–304, 1987. [94] T. Satoh. On p-adic point counting algorithms for elliptic curves over finite fields. In Algorithmic number theory (Sydney, Australia, 2002), volume 2369 of Lecture Notes in Comput. Sci., pages 43–66. SpringerVerlag, Berlin, 2002. [95] T. Satoh and K. Araki. Fermat quotients and the polynomial time discrete log algorithm for anomalous elliptic curves. Comment. Math. Univ. St. Paul., 47(1):81–92, 1998. Errata: 48 (1999), 211-213. [96] E. Schaefer A new proof for the non-degeneracy of the Frey-R¨ uck pairing and a connection to isogenies over the base field. Computational aspects

506

REFERENCES

of algebraic curves, volume 13 in Lecture Notes Ser. Comput., pages 1–12, World Sci. Publ., Hackensack, NJ, 2005. [97] R. Schoof. Elliptic curves over finite fields and the computation of square roots mod p. Math. Comp., 44(170):483–494, 1985. [98] R. Schoof. Nonsingular plane cubic curves over finite fields. J. Combin. Theory Ser. A, 46(2):183–211, 1987. [99] R. Schoof. Counting points on elliptic curves over finite fields J. Th´eorie des Nombres de Bordeaux, 7: 219–254, 1995. [100] R. Schoof and L. Washington. Untitled. In Dopo le parole (aangeboden aan Dr. A. K. Lenstra. verzameld door H. W. Lenstra, Jr., J. K. Lenstra en P. van Emde Boas, Amsterdam, 16 mei, 1984. 1 page. [101] A. Selberg and S. Chowla. On Epstein’s zeta-function. J. reine angew. Math., 227:86–110, 1967. [102] I. A. Semaev. Evaluation of discrete logarithms in a group of p-torsion points of an elliptic curve in characteristic p. Math. Comp., 67(221):353– 356, 1998. [103] J.-P. Serre. Complex multiplication. In Algebraic Number Theory (Proc. Instructional Conf., Brighton, 1965), pages 292–296. Thompson, Washington, D.C., 1967. [104] J.-P. Serre. A course in arithmetic. Springer-Verlag, New York, 1973. Translated from the French, Graduate Texts in Mathematics, No. 7. [105] J.-P. Serre. Sur les repr´esentations modulaires de degr´e 2 de Gal(Q/Q). Duke Math. J., 54(1):179–230, 1987. [106] I. Shafarevich Basic algebraic geometry. Translated from the Russian by K. A. Hirsch. Die Grundlehren der mathematischen Wissenschaften, Band 213. Springer-Verlag, New York-Heidelberg, 1974. [107] D. Shanks. Class number, a theory of factorization, and genera. In 1969 Number Theory Institute (Proc. Sympos. Pure Math., Vol. XX, State Univ. New York, Stony Brook, NY, 1969), pages 415–440. Amer. Math. Soc., Providence, RI, 1971. [108] G. Shimura. Introduction to the arithmetic theory of automorphic functions, volume 11 of Publications of the Mathematical Society of Japan. Princeton University Press, Princeton, NJ, 1994. Reprint of the 1971 original, Kanˆ o Memorial Lectures, 1. [109] J. H. Silverman. The arithmetic of elliptic curves, volume 106 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1986. [110] J. H. Silverman. The difference between the Weil height and the canonical height on elliptic curves. Math. Comp., 55(192):723–743, 1990.

REFERENCES

507

[111] J. H. Silverman. Advanced topics in the arithmetic of elliptic curves, volume 151 of Graduate Texts in Mathematics. Springer-Verlag, New York, 1994. [112] J. H. Silverman. The xedni calculus and the elliptic curve discrete logarithm problem. Des. Codes Cryptogr., 20(1):5–40, 2000. [113] J. H. Silverman and J. Suzuki. Elliptic curve discrete logarithms and the index calculus. In Advances in cryptology—ASIACRYPT ’98 (Beijing, China), volume 1514 of Lecture Notes in Comput. Sci., pages 110–125. Springer-Verlag, Berlin, 1998. [114] J. H. Silverman and J. Tate. Rational points on elliptic curves. Undergraduate Texts in Mathematics. Springer-Verlag, New York, 1992. [115] N. P. Smart. The discrete logarithm problem on elliptic curves of trace one. J. Cryptology, 12(3):193–196, 1999. [116] J. Tate. The arithmetic of elliptic curves. Invent. Math., 23:179–206, 1974. [117] J. Tate. Algorithm for determining the type of a singular fiber in an elliptic pencil. In Modular functions of one variable, IV (Proc. Internat. Summer School, Univ. Antwerp, Antwerp, 1972), pages 33–52. Lecture Notes in Math., Vol. 476. Springer-Verlag, Berlin, 1975. [118] R. Taylor and A. Wiles. Ring-theoretic properties of certain Hecke algebras. Ann. of Math. (2), 141(3):553–572, 1995. [119] E. Teske. Speeding up Pollard’s rho method for computing discrete logarithms. In Algorithmic number theory (Portland, OR, 1998), volume 1423 of Lecture Notes in Comput. Sci., pages 541–554. Springer-Verlag, Berlin, 1998. [120] N. Th´eriault. Index calculus attack for hyperelliptic curves of small genus. Advances in cryptology —ASIACRYPT 2003, volume 2894 of Lecture Notes in Comput. Sci., pages 75–92. Springer-Verlag, Berlin, 2003. [121] W. Trappe and L. Washington. Introduction to cryptography with coding theory, (2nd ed.). Prentice Hall, Upper Saddle River, NJ, 2006. [122] J. B. Tunnell. A classical Diophantine problem and modular forms of weight 3/2. Invent. Math., 72(2):323–334, 1983. [123] J. V´elu Isog´enies entre courbes elliptiques. C. R. Acad. Sci. Paris S´er. A-B, 273:A238–A241, 1971. [124] E. Verheul. Evidence that XTR is more secure than supersingular elliptic curve cryptosystems. Eurocrypt 2001, volume 2045 in Lecture Notes in Computer Science, pages 195–210, Springer-Verlag, Berlin 2001.

508

REFERENCES

[125] S. Wagstaff. Cryptanalysis of number theoretic ciphers. Computational Mathematics Series. Chapman and Hall/CRC, Boca Raton, 2003. [126] D. Q. Wan. On the Lang-Trotter conjecture. 35(3):247–268, 1990.

J. Number Theory,

[127] X. Wang, Y. Yin, Yiqun, and H. Yu. Finding collisions in the full SHA1. Advances in cryptology—CRYPTO 2005, volume 3621 of Lecture Notes in Comput. Sci., pages 17–36, Springer, Berlin, 2005. [128] L. Washington. Wiles’ strategy. In Cuatrocientos a˜ nos de matem´ aticas ´ en torno al Ultimo Teorema de Fermat (ed. by C. Corrales Rodrig´ an ˜ez and C. Andradas), pages 117–136. Editorial Complutense, Madrid, 1999. Section 13.4 of the present book is a reworking of much of this article. [129] L. C. Washington. Introduction to cyclotomic fields, volume 83 of Graduate Texts in Mathematics, (2nd ed.). Springer-Verlag, New York, 1997. ´ [130] W. C. Waterhouse. Abelian varieties over finite fields. Ann. Sci. Ecole Norm. Sup. (4), 2:521–560, 1969. [131] A. Weil Courbes alg´ebriques et vari´et´es ab´eliennes. 2e ´ed.. Hermann & Cie., Paris, 1971. [132] E. Weiss. Cohomology of groups. Pure and Applied Mathematics, Vol. 34. Academic Press, New York, 1969. [133] A. Wiles. Modular elliptic curves and Fermat’s last theorem. Ann. of Math. (2), 141(3):443–551, 1995. [134] H. C. Williams. A p+1 method of factoring. Math. Comp., 39(159):225– 234, 1982.

Index

canonical divisor, 366 canonical height, 217 Cantor’s algorithm, 417 characteristic, 481 characteristic polynomial, 102, 333, 430 characteristic three, 74 characteristic two, 47, 52 Chinese remainder theorem, 69, 152, 182, 193, 427, 472 Chowla-Selberg formula, 293 ciphertext, 169 class number formula, 441 Clay Mathematics Institute, 441 Coates, 440 coboundary, 245 cocycle, 244 cohomology, 244, 245 complex multiplication, 197, 322, 336 conductor, 314, 436, 451 congruent number problem, 5 conic section, 33 conjecture of Taniyama-Shimura-Weil, 447, 455 Conrad, 436, 437 Crandall, 446 Cremona, 111 cryptography, 169 cubic equations, 36 cusp, 456 cusp form, 450 cyclic group, 478

Abel-Jacobi theorem, 266 abelian variety, 215, 336 additive reduction, 64, 434 Adleman, 424 affine plane, 19 algebraic, 481 algebraic closure, 481 algebraic curve, 364 algebraic integer, 314, 322 algebraically independent, 485 Alice, 169 analytic continuation, 438 anomalous curves, 159, 165 arithmetic-geometric mean, 290 Artin, E., 430, 431 Artin, M., 432 associativity, 20 Atkin, 123, 396, 399 Atkin prime, 401 automorphism, 47, 74 baby step, giant step, 112, 146, 151, 166, 197 bad reduction, 436 basis, 79, 87 Bellare, 180 Bernoulli numbers, 445 beta function, 310 Birch-Swinnerton-Dyer conjecture, 440 Bob, 169 Boneh-Franklin, 184 Breuil, 436, 437 Brumer, 447 Buhler, 446

decision Diffie-Hellman problem, 171, 172 deformations, 468

cannonballs, 1

509

510

INDEX

degree, 51, 83, 87, 89, 100, 258, 339, 382, 387, 423 Deligne, 432, 452 ∆, 269, 275 DeMarrais, 424 descent, 209 deterministic, 151 Deuring’s lifting theorem, 320 Diamond, 436, 437 Diffie-Hellman key exchange, 170 Diffie-Hellman problem, 171, 174 digital signature algorithm, 179 digital signatures, 175 Diophantus, 1, 8 direct sum, 478 Dirichlet unit theorem, 442 discrete logarithm, 18, 143, 144, 157, 407, 420, 424 discriminant, 314 division polynomials, 80, 81, 83, 124, 294, 297, 300, 397 divisor, 258, 339, 364, 409 divisor of a function, 259, 342, 364 doubly periodic function, 258 Doud, 302 dual isogeny, 382, 391, 396, 402, 405 Dwork, 430 ECIES, 180 Edwards coordinates, 44 Eichler, 437, 451 Eisenstein series, 267, 273 ElGamal digital signatures, 175, 187 ElGamal public key encryption, 174 Elkies, 123, 136, 396 Elkies prime, 401 elliptic curve, 9, 67, 310 elliptic curve factorization, 192 elliptic integral, 287, 310 elliptic regulator, 440 endomorphism, 50, 313, 319 Ernvall, 446 Euler product, 432, 433, 435 Eve, 169

exact sequence, 244, 246 factor base, 144 factoring, 181, 183, 189, 192 Faltings, 402, 451 Fermat, 231 Fermat’s Last Theorem, 7, 36, 38, 445, 455 field, 481 finite field, 482 finite representation, 453 flex, 93 Floyd, 148 Fouvry, 136 Frey, 157 Frey curve, 446, 454 Frey-R¨ uck attack, 157 Frobenius automorphism, 482 Frobenius endomorphism, 52, 58, 87, 98, 124, 142, 156, 318, 333, 351, 391, 430, 449 function, 339 functional equation, 430, 431, 438 fundamental domain, 278, 456 fundamental parallelogram, 257 G-module, 244 g2 , 268, 274 g3 , 268, 274 Galois representation, 80, 448 gamma function, 293, 310, 437 Gaudry, 424 Gauss, 115, 288, 417 generalized Weierstrass equation, 10, 15, 48, 254, 434 genus, 366 Goldwasser-Kilian test, 196 good reduction, 64, 433 Gross, 440 Grothendieck, 432 group, 477 group law, 14, 71, 272 Harley, 111, 424 hash function, 177, 187, 188

INDEX

Hasse’s theorem, 97, 100, 423, 431 Hasse-Minkowski theorem, 238 Hecke algebra, 450, 452, 459 Hecke operator, 450, 459 Heegner points, 440 height, 216 height pairing, 230 Hellegouarch, 446 Hensel’s lemma, 241, 474 Hessian, 93 homomorphism, 480 homothetic, 273, 316 Huang, 424 hyperelliptic curve, 407, 408 hyperelliptic involution, 408 imaginary quadratic field, 314 index, 478, 509 index calculus, 144, 423 infinite descent, 231 isogenous, 381 isogeny, 142, 236, 381, 386, 397, 451 isomorphic, 389 j-function, 275, 276 j-invariant, 46–48, 73, 74, 139, 322, 331, 337 Jacobi sum, 118 Jacobian, 407, 415, 458 Jacobian coordinates, 43 Jugendtraum, 336 kangaroos, 150 kernel, 480 key, 169 Koblitz, 174, 407, 423 Kolyvagin, 252, 441 Kramer, 447 Kronecker-Weber theorem, 336 Kummer, 445 L-function, 433, 435 L-series, 447 Lagrange’s theorem, 477

511

Lang-Trotter method, 106 Langlands, 462 lattice, 257, 479 Legendre equation, 35, 73, 132 Legendre symbol, 104, 140 Lenstra, 189 level, 450, 453 lines, 72, 73 local rings, 66 local-global principle, 238 Lutz-Nagell, 205 Magma, 492 Massey-Omura encryption, 173 maximal order, 319 Mazur, 208, 447 Mestre, 108 Mets¨ankyl¨ a, 446 minimal Weierstrass equation, 434 modular curve, 456 modular elliptic curve, 447, 458 modular form, 447, 450 modular polynomial, 329, 383, 398, 399 modular representation, 453 Mordell, 215 Mordell-Weil theorem, 16, 216 MOV attack, 154, 158 multiplication by n, 83 multiplicative reduction, 64, 434 Mumford representation, 415 Murty, 136 newform, 450 Newton’s method, 413 nonsingular curve, 23, 24 nonsplit multiplicative reduction, 64, 434 normalized, 451 Nyberg-Rueppel signature, 188 oldform, 450 order, 106, 258, 279, 314, 340, 471, 477 ordinary, 79, 319, 320

512

INDEX

p-adic absolute value, 472 p-adic numbers, 318, 472 p-adic valuation, 160, 199, 472 p − 1 factorization method, 191 pairings, 154 PalmPilot, 169 Pappus’s theorem, 34 parallelogram law, 217 Pari, 489 Pascal’s theorem, 33 periods, 258, 284, 286 Picard-Fuchs differential equation, 137 plaintext, 169 Pocklington-Lehmer test, 194 Pohlig-Hellman method, 151, 167 point at infinity, 11, 20, 408 points at infinity, 18 pole, 340 Pollard’s λ method, 150 Pollard’s ρ method, 147, 425 primality testing, 189, 194, 196 prime, 423 prime number theorem, 141 primitive, 65 primitive root, 471 principal divisor, 342 probabilistic, 151 projective coordinates, 42 projective space, 18, 65, 72 public key encryption, 170 Pythagorean triples, 231 quadratic field, 314 quadratic surface, 39 quaternions, 318, 319, 321, 338 ramified, 318, 319 rank, 16, 223, 479 reduced divisor, 411 reduction, 63, 70, 207, 416 residue, 258 Ribet, 448, 454 Riemann hypothesis, 430, 431 Riemann-Hurwitz, 395

Riemann-Roch theorem, 366, 413, 414 rings, 65 Rogaway, 180 root of unity, 87, 483 RSA, 181 Rubin, 252, 441 R¨ uck, 157 Sage, 494 Schmidt, 430, 431 Schoof’s algorithm, 123, 396 Selmer group, 237, 252 semi-reduced, 411 semistable, 76, 437, 446, 447 separable, 387 separable endomorphism, 51, 58, 87, 351 Serre, 452 Shafarevich-Tate group, 237, 239, 252, 440 Shanks, 146 Shimura, 336, 436, 437, 451 Shimura curve, 460 SL2 (Z), 276 smooth, 191, 423, 424 split, 318, 319 split multiplicative reduction, 64, 434 structure theorems, 478 subexponential algorithm, 145 subfield curves, 102 successive doubling, 17, 18, 361 successive squaring, 140 sum, 339 supersingular, 79, 130, 133, 142, 156, 168, 183, 185, 319, 321 symmetric encryption, 169 symmetric square, 470 tangent line, 24 tangent space, 465 Taniyama, 436, 437 Tate, 401

INDEX

Tate-Lichtenbaum pairing, 90, 157, 167, 168, 354, 360, 364, 374, 375 Tate-Shafarevich group, 238 Taylor, 436, 437 Th´eriault, 424 torsion, 88, 302, 479 torsion points, 77, 79 torsion subgroup, 206, 208, 223 torus, 257, 267, 283, 285 transcendence degree, 485 tripartite Diffie-Hellman, 172 Tunnell, 462 twist, 47, 75, 108, 141, 334 twisted homomorphisms, 245 uniformizer, 340 universal deformation, 468 unramified representation, 453 upper half plane, 273, 276, 436 V´elu, 392 van Duin, 178 Vandiver, 446 Wan, 136 Wang, 178 Waterhouse, 98 weak Mordell-Weil theorem, 214 Weierstrass ℘-function, 262, 303, 341, 386 Weierstrass equation, 9 Weierstrass equation, generalized, 10, 15, 48 Weil, 215, 423, 431, 436, 437 Weil conjectures, 431 Weil pairing, 86, 87, 154, 171, 172, 184, 185, 350, 359, 360 Weil reciprocity, 357 Wiles, 437, 440, 448, 461 xedni calculus, 165 Yin, 178 Yu, 178

513

Zagier, 440 zero, 340 zeta function, 273, 430, 432, 441

Mathematics DISCRETE MATHEMATICS AND ITS APPLICATIONS

Second Edition

Series Editor KENNETH H. ROSEN

DISCRETE MATHEMATICS AND ITS APPLICATIONS Series Editor KENNETH H. ROSEN

Number Theory and Cryptography Second Edi tion

L AW RE NCE C. WA SHI NGTON Like its bestselling predecessor, Elliptic Curves: Number Theory and Cryptography, Second Edition develops the theory of elliptic curves to provide a basis for both number theoretic and cryptographic applications. With additional material, this edition offers more comprehensive coverage of the fundamental theory, techniques, and applications of elliptic curves. New to the Second Edition • Chapters on isogenies and hyperelliptic curves • A discussion of alternative coordinate systems, such as projective, Jacobian, and Edwards coordinates, along with related computational issues • A more complete treatment of the Weil and Tate–Lichtenbaum pairings • Doud’s analytic method for computing torsion on elliptic curves over Q • An explanation of how to perform calculations with elliptic curves in several popular computer algebra systems

C7146

WA SHI NGTON

Taking a basic approach to elliptic curves, this accessible book prepares readers to tackle more advanced problems in the field. It introduces elliptic curves over finite fields early in the text, before moving on to interesting applications, such as cryptography, factoring, and primality testing. The book also discusses the use of elliptic curves in Fermat’s Last Theorem. Relevant abstract algebra material on group theory and fields can be found in the appendices.

El l i p t ic Curves

Elliptic Curves

Elliptic Curves Number Theory and Cryptography S e cond E dit ion

L AWRENCE C. WA SHINGTON

www.crcpress.com

C7146_Cover.indd 1

3/3/08 8:29:04 AM